CVE-2026-6455: WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
HarborGuard Analysis
HarborGuard analysisSynopsis
This is a Cross-Site Request Forgery (CSRF) chained with SQL injection and unsafe PHP object deserialization in the WP Contact Form 7 DB Handler plugin for WordPress, affecting all versions up to and including 3.0. The vulnerability is reachable over the network and requires no authentication on the attacker's part, but does require a logged-in WordPress administrator to visit a malicious page. Successful exploitation lets an attacker delete arbitrary files on the server, including wp-config.php and other critical system files, causing persistent integrity damage and potential full site compromise. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Wordfence advisory pipeline) within minutes of publication and matched against customer images, including custom-built WordPress images, in registry and CI pipeline scans. Any image containing the yudiz WP Contact Form 7 DB Handler plugin at version 3.0 or earlier will surface this finding automatically.
AvailableHarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it further against each environment's compliance policy, for example, internet-facing WordPress deployments will receive elevated routing priority. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. In the interim, compensating-control guidance is surfaced in the finding detail to help reduce exposure.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must deliver a CSRF payload to the victim over the network, so the WordPress admin interface must be reachable from the attacker's reach or via a web page the victim browses to.
- AuthenticationNot required
The attacker themselves needs no credentials; exploitation works by coercing an already-authenticated administrator, so no account of any privilege level is required by the attacker.
- Victim interactionRequired
A logged-in WordPress administrator must visit or load the attacker-controlled CSRF page, making social engineering (phishing, malicious link) a necessary step in the attack chain.
- Attack complexityDetail
Exploit reliability is high and no race conditions or special environmental factors are required; the nonce bypass, UNION-based SQL injection, and deserialization chain are all deterministic once the admin visits the crafted page.
Blast Radius
- Deletes arbitrary files on the server by supplying attacker-controlled paths appended to the WordPress uploads directory, including wp-config.php and site-critical files.
- Removing wp-config.php triggers WordPress's installation wizard on next load, allowing a separate attacker (or the same one) to re-configure the database connection and take full control of the site.
- Deletion of theme files, plugin files, or core WordPress files causes immediate site outages and corrupts the running application.
- Persistent file loss is not recoverable at the application layer; restoration requires out-of-band backup access, extending the impact beyond the initial exploitation window.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for this CVE as of the publication date, HarborGuard monitors the Wordfence advisory and upstream plugin repository on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix is released. In the meantime, the finding detail for affected images includes compensating-control guidance: apply a network policy that restricts wp-admin access to known IP ranges, add a web application firewall rule to block cross-origin POST requests to the wp-admin endpoint, and consider temporarily disabling the WP Contact Form 7 DB Handler plugin if form-submission storage is not operationally required. For customers with auto-remediation enabled, a rebuild and regression run will be queued and a PR opened against affected workloads as soon as a fix version is confirmed upstream, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- yudiz / WP Contact Form 7 DB Handler≤ 3.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H