How is CVE-2026-40769 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to trigger the file deletion. Authentication (not-required): No account or session token is needed; the deletion request can be sent by any unauthenticated visitor. Victim interaction (not-required): The attacker sends a direct request to the server; no user action such as clicking a link is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-40769?

Attacker deletes arbitrary files on the web server, including WordPress core files, theme files, or plugin files, breaking site functionality. Removal of configuration files (such as wp-config.php) can expose database credentials on the next page load or render the site completely unresponsive. Deletion of upload directory contents destroys stored user-submitted data and media assets with no built-in recovery path. Availability of the entire WordPress instance is fully compromised; CVSS A:H reflects a complete denial of service to legitimate users.

Back to search

HIGHCVE-2026-40769Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40769: WordPress Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin <= 1.0.6 - Arbitrary File Deletion vulnerability

Q: What is CVE-2026-40769?

An unauthenticated arbitrary file deletion vulnerability exists in the Contact Form Extender for Divi plugin (Save Entries, File Upload and Country Code Field) for WordPress, versions 1.0.6 and earlier. The flaw is reachable over the network and requires no login, meaning any remote visitor can trigger it without any prior access. Successful exploitation lets an attacker delete arbitrary files on the server, which can corrupt the WordPress installation, remove critical application files, or take the site offline. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-40769 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the meantime, HarborGuard surfaces the affected images and their exposure so customers can apply compensating controls while the patch is pending.

Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1.0.6 versions.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file deletion vulnerability exists in the Contact Form Extender for Divi plugin (Save Entries, File Upload and Country Code Field) for WordPress, versions 1.0.6 and earlier. The flaw is reachable over the network and requires no login, meaning any remote visitor can trigger it without any prior access. Successful exploitation lets an attacker delete arbitrary files on the server, which can corrupt the WordPress installation, remove critical application files, or take the site offline. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-40769 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Coverage applies to both registry scans and in-pipeline image checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH (v3.1) and is capable of weighting that score against each environment's compliance policy to determine urgency and ticket routing. Triage assignments can be directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the meantime, HarborGuard surfaces the affected images and their exposure so customers can apply compensating controls while the patch is pending.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to trigger the file deletion.
AuthenticationNot required
No account or session token is needed; the deletion request can be sent by any unauthenticated visitor.
Victim interactionNot required
The attacker sends a direct request to the server; no user action such as clicking a link is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.

Blast Radius

Attacker deletes arbitrary files on the web server, including WordPress core files, theme files, or plugin files, breaking site functionality.
Removal of configuration files (such as wp-config.php) can expose database credentials on the next page load or render the site completely unresponsive.
Deletion of upload directory contents destroys stored user-submitted data and media assets with no built-in recovery path.
Availability of the entire WordPress instance is fully compromised; CVSS A:H reflects a complete denial of service to legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-40769 as of the publication date, the platform continuously monitors the Patchstack advisory and associated upstream repository on every ingest cycle. The moment a patched release is published, a rebuilt image at that version becomes available, and customers with auto-remediation enabled receive a rebuild, a regression-test run, and a PR opened against affected workloads (median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for those environments). While the patch is pending, HarborGuard recommends applying compensating controls where feasible: isolate WordPress pods behind a network policy that restricts inbound access to trusted sources, add a WAF or reverse-proxy rule to block requests to the plugin's file-handling endpoints, and consider temporarily deactivating the plugin if form submissions can be paused. All images containing versions 1.0.6 or earlier of the plugin are flagged in the HarborGuard dashboard with remediation status set to 'awaiting upstream fix'.

See how HarborGuard automates this

Affected packages

Satinder Singh / Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field
≤ 1.0.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References

patchstack.com

Metrics

Get notified