[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1Zw4KIO7c0yEnPKCNlHmHGvpYWAYBqTeKNYL9f20C34":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-0811","advanced-cf7-db-cross-site-request-forgery-to-form-entry-deletion","Advanced CF7 DB \u003C= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion","The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","advanced-cf7-db",null,"\u003C=2.0.9","2.1.0","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Cross-Site Request Forgery (CSRF)","2026-04-08 05:13:07","2026-04-08 17:25:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F88097744-d2f5-4ae5-aa71-0f4a0decd911?source=api-prod",1,[22,23,24,25,26,27,28],"README.txt","admin\u002Fclass-advanced-cf7-db-admin.php","admin\u002Fpartials\u002Fcontact_form_listing.php","admin\u002Fpartials\u002Fimport_cf7_csv.php","admin\u002Fpartials\u002Fimport_cf7_entry.class.php","advanced-cf7-db.php","includes\u002Fvsz-cf7-db-function.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-0811 (Advanced CF7 DB)\n\n## 1. Vulnerability Summary\nThe **Advanced Contact form 7 DB** plugin (up to 2.0.9) is vulnerable to **Cross-Site Request Forgery (CSRF)** because it implements a flawed nonce validation pattern in several admin handlers, including the entry management screen (`admin\u002Fpartials\u002Fcontact_form_listing.php`) and the inferred `vsz_cf7_save_setting_callback` function.\n\nThe developer attempted to implement security by creating a nonce and immediately verifying it against itself (a \"no-op\" check), which effectively ignores any nonce provided in the HTTP request. This allows an unauthenticated attacker to trick a logged-in administrator into performing actions like deleting form entries.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoints**: \n    1. `wp-admin\u002Fadmin.php?page=contact-form-listing` (Bulk\u002FSingle entry deletion)\n    2. `wp-admin\u002Fadmin-ajax.php` (AJAX settings or bulk actions)\n- **Vulnerable Action**: Deleting form entries via the `action=delete` parameter.\n- **Authentication Level**: Unauthenticated (Attacker) \u002F Administrator (Victim).\n- **Preconditions**:\n    - The plugin must have at least one Contact Form 7 form configured.\n    - There must be at least one saved entry in the database.\n    - The attacker must know (or guess) the Form ID (`cf7_id`) and Entry ID (`data_id`).\n\n## 3. Code Flow\nThe vulnerability stems from a repetitive coding error found in multiple partials:\n\n**File:** `admin\u002Fpartials\u002Fcontact_form_listing.php` (Lines 36-41)\n```php\n$nonce = wp_create_nonce('vsz-cf7-action-nonce');\n\nif(!wp_verify_nonce( $nonce, 'vsz-cf7-action-nonce')){\n    echo esc_html('You have no permission to access this page');\n    return;\n}\n```\n1. An administrator accesses the plugin's listing page (`page=contact-form-listing`).\n2. The code generates a **new** nonce for the action `vsz-cf7-action-nonce` and stores it in `$nonce`.\n3. It then calls `wp_verify_nonce($nonce, ...)` on the variable it just created. This check **always passes** and completely ignores the `_wpnonce` parameter in `$_POST` or `$_GET`.\n4. The script continues to process state-changing parameters like `action=delete` and `data_id[]`.\n5. Because the CSRF protection is non-functional, a forged request from the admin's browser triggers the deletion logic.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nAlthough the plugin generates nonces (e.g., `vsz-cf7-action-nonce`), the validation logic is flawed (self-verifying). An attacker does not need to obtain a valid nonce to bypass the check. Simply omitting the nonce or providing a dummy value will work because the server-side code does not check the request's nonce parameter against its expected value.\n\n## 5. Exploitation Strategy\n\n### Goal: Delete a specific form entry via CSRF\n1. **Identify Target**: Determine the Form ID (`cf7_id`) and the Entry ID (`data_id`) to delete.\n2. **Craft Payload**: A POST request to the listing page containing the deletion action.\n3. **Execution**: Use `http_request` to simulate the administrator's browser submitting the form.\n\n**HTTP Request (Bulk Delete Action):**\n- **URL**: `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php?page=contact-form-listing&cf7_id=[FORM_ID]`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `action`: `delete`\n    - `data_id[]`: `[ENTRY_ID]`\n    - `_wpnonce`: `anything` (ignored due to the flaw)\n\n## 6. Test Data Setup\n1. **Ensure CF7 is active**: Contact Form 7 must be installed and active.\n2. **Create a Form**: Ensure at least one form exists (default is usually ID 1).\n3. **Generate an Entry**: \n    - Use `wp post list --post_type=wpcf7_contact_form` to find a form ID.\n    - Simulate a form submission to populate the database:\n      ```bash\n      # Example submission to Form ID 1\n      curl -X POST http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F1\u002Ffeedback \\\n           -F \"your-name=TargetUser\" -F \"your-email=target@example.com\" -F \"your-message=DeleteMe\"\n      ```\n4. **Identify the Entry ID**:\n    ```bash\n    wp db query \"SELECT data_id FROM wp_cf7_vdata_entry ORDER BY data_id DESC LIMIT 1\"\n    ```\n\n## 7. Expected Results\n- The HTTP response from the admin page should load without the \"You have no permission\" error.\n- The entry associated with the `data_id` should be purged from the database.\n\n## 8. Verification Steps\n1. **Database Check**: After the exploit, verify the entry is gone.\n   ```bash\n   wp db query \"SELECT COUNT(*) FROM wp_cf7_vdata_entry WHERE data_id = [ENTRY_ID]\"\n   ```\n   A result of `0` confirms successful deletion.\n2. **UI Check**: Use `browser_navigate` to `wp-admin\u002Fadmin.php?page=contact-form-listing&cf7_id=[FORM_ID]` and verify the record is no longer visible in the table.\n\n## 9. Alternative Approaches\nIf the bulk action requires specific form state, try the AJAX settings callback mentioned in the CVE:\n- **Action**: `vsz_cf7_save_setting`\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Parameters**: `action=vsz_cf7_save_setting&cf7_id=[ID]&","The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a flawed security implementation where nonces are created and immediately verified against themselves rather than validating the user's request. This allows unauthenticated attackers to trick administrators into deleting form entries or modifying plugin settings via forged requests.","\u002F\u002F admin\u002Fpartials\u002Fcontact_form_listing.php lines 36-41\n$nonce = wp_create_nonce('vsz-cf7-action-nonce');\n\nif(!wp_verify_nonce( $nonce, 'vsz-cf7-action-nonce')){\n    echo esc_html('You have no permission to access this page');\n    return;\n}\n\n---\n\n\u002F\u002F admin\u002Fclass-advanced-cf7-db-admin.php lines 881-887\nif($current_action == 'delete'){\n    if(isset($_POST['del_id']) && !empty($_POST['del_id'])){\n        \u002F\u002FGet nonce value\n        $nonce = sanitize_text_field($_POST['_wpnonce']);\n        \u002F\u002FVerify nonce value\n        \u002F\u002F if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {\n        \u002F\u002F \tdie('Security check');\n        \u002F\u002F }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-cf7-db\u002F2.0.9\u002Fadmin\u002Fclass-advanced-cf7-db-admin.php\t2025-02-06 12:14:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-cf7-db\u002F2.1.0\u002Fadmin\u002Fclass-advanced-cf7-db-admin.php\t2026-04-02 12:45:36.000000000 +0000\n@@ -881,16 +883,19 @@\n \t\t\tif($current_action == 'delete'){\n \t\t\t\tif(isset($_POST['del_id']) && !empty($_POST['del_id'])){\n \t\t\t\t\t\u002F\u002FGet nonce value\n-\t\t\t\t\t$nonce = sanitize_text_field($_POST['_wpnonce']);\n+\t\t\t\t\tif(!isset($_POST['_wpnonce']) || empty($_POST['_wpnonce'])){\n+\t\t\t\t\t\twp_die(__('Security check failed: Missing nonce.'));\n+\t\t\t\t\t}\n+\t\t\t\t\t$nonce = sanitize_text_field(wp_unslash($_POST['_wpnonce']));\n \t\t\t\t\t\u002F\u002FVerify nonce value\n-\t\t\t\t\t\u002F\u002F if(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {\n-\t\t\t\t\t\u002F\u002F \tdie('Security check');\n-\t\t\t\t\t\u002F\u002F }\n+\t\t\t\t\tif(!wp_verify_nonce($nonce, 'vsz-cf7-action-nonce')) {\n+\t\t\t\t\t\twp_die(__('Security check failed: Invalid nonce.'));\n+\t\t\t\t\t}\n \t\t\t\t\t\u002F\u002FGet Delete row ID information\n-\t\t\t\t\t$del_id = array_map('sanitize_text_field',$_POST['del_id']);\n+\t\t\t\t\t$del_id = array_map('sanitize_text_field', wp_unslash($_POST['del_id']));\n \t\t\t\t\t$del_id = implode(',', array_map('intval',$del_id));\n \t\t\t\t\t\u002F\u002FGet Form ID\n-\t\t\t\t\t$fid = intval(sanitize_text_field($_POST['fid']));\n+\t\t\t\t\t$fid = intval(sanitize_text_field(wp_unslash($_POST['fid'])));","The exploit targets the entry management screen to delete saved form data. An attacker crafts a POST request to 'wp-admin\u002Fadmin.php?page=contact-form-listing' including the parameters 'action=delete', 'cf7_id=[FORM_ID]', and an array of entry IDs in 'del_id[]'. Because the plugin either comments out the nonce verification or performs a 'no-op' verification (comparing a newly generated nonce to itself), the attacker does not need to provide a valid nonce. The attacker then tricks a logged-in administrator into triggering this request (e.g., via a hidden form on a malicious site), resulting in the deletion of specified database records.","gemini-3-flash-preview","2026-04-16 16:30:45","2026-04-16 16:31:36",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.0.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags\u002F2.0.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-cf7-db.2.0.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags\u002F2.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-cf7-db.2.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-cf7-db\u002Ftags"]