CVE Catalog

CVE-2026-12094

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to and including 1.0.0. The function does not perform nonce verification, capability checks, or ownership checks before deleting data from the wp_cf7cdb_data table.

Risk Assessment

Attackers can delete arbitrary contact form submission entries stored by the plugin, leading to data loss and potential integrity issues within the organization.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional security measures such as nonce verification and capability checks.

Original NVD description (English source)

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS