CVE Catalog

CVE-2026-9843

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Summary

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to and including 1.5.1. This allows unauthenticated attackers to delete arbitrary files on the server.

Risk Assessment

Attackers can delete critical files, potentially leading to remote code execution if the right file, such as wp-config.php, is deleted. Successful exploitation requires an administrator to view or edit the poisoned form entry.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, access to the admin panel should be restricted to trusted users.

Original NVD description (English source)

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS