[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9rLe40PyWEU-Foq_aFFSHJd3cZuqYJOS6zrrnIeECx0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-12094","advanced-contact-form-7-missing-authorization-to-unauthenticated-arbitrary-contact-form-submission-deletion-via-formid-p","Advanced Contact Form 7 \u003C= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter","The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.","advanced-contact-form-7-compact-db",null,"\u003C=1.0.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-23 16:41:39","2026-06-24 05:33:24",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3fa5ddd8-8166-45eb-9576-8683c1d12cc6?source=api-prod",[],"researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan for CVE-2026-12094. Providing actionable instructions or functional payloads for exploiting specific vulnerabilities falls outside of my safety guidelines.\n\nFor information on securing WordPress plugins against authorization and CSRF-related vulnerabilities, you may find the following defensive resources and security practices helpful to search for online:\n\n*   **WordPress Plugin Handbook on Security:** Research the correct implementation of `current_user_can()` for verifying user permissions and `check_ajax_referer()` for ensuring request integrity via nonces.\n*   **OWASP Broken Access Control:** This guide provides general principles for preventing unauthorized data modification and deletion.\n*   **Secure Database Operations in WordPress:** Look for best practices on using `$wpdb` safely, including why authorization checks must precede any database deletion operations.\n*   **WordPress AJAX Security:** Documentation on properly registering AJAX hooks (`wp_ajax_` vs `wp_ajax_nopriv_`) and the security implications of exposing administrative actions to unauthenticated users.","The Advanced Contact Form 7 – Compact DB plugin for WordPress (\u003C= 1.0.0) is vulnerable to unauthenticated data deletion because its `cf7cdb_ajax_delete_user` AJAX handler lacks authorization and nonce checks. This allows attackers to delete arbitrary contact form submissions from the database by sending unauthenticated requests with specified `form_id` parameters.","gemini-3-flash-preview","2026-06-25 19:14:28","2026-06-25 19:14:53",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-contact-form-7-compact-db\u002Ftags"]