[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frt8vUDT9KRYAzt-Ge3oYSXkgl4AYo4rua7oS2K3s5pw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-9843","database-for-contact-form-7-wpforms-elementor-forms-unauthenticated-arbitrary-file-deletion-via-cf7-file-field-post-valu","Database for Contact Form 7, WPforms, Elementor forms \u003C= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value","The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.","contact-form-entries",null,"\u003C=1.5.1","1.5.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-06-19 11:55:33","2026-06-20 01:27:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4169b390-0972-4aa9-ae04-f5f67afe15ef?source=api-prod",1,[22,23,24,25],"contact-form-entries.php","includes\u002Fplugin-pages.php","readme.txt","templates\u002Fview.php","researched",false,3,"This research plan focuses on **CVE-2026-9843**, a path traversal vulnerability in the \"Database for Contact Form 7\" plugin that allows for arbitrary file deletion.\n\n### 1. Vulnerability Summary\nThe \"Database for Contact Form 7, WPforms, Elementor forms\" plugin (versions \u003C= 1.5.1) fails to properly validate file paths stored in form entries. An unauthenticated attacker can submit a contact form with a specially crafted field name containing path traversal sequences (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php`). \n\nWhen an administrator later views or edits this poisoned entry in the WordPress dashboard, the plugin's `view_page` functionality processes the entry data. Due to how PHP's bracket parser handles nested array keys in `$_POST` (reshaping them), an attacker can bypass `isset()` checks intended to verify that a file belongs to the entry. This allows the attacker to trigger the deletion (`unlink`) of any file the web server has permissions to delete.\n\n### 2. Attack Vector Analysis\n*   **Target Endpoint:** Public-facing contact forms (Contact Form 7, WPForms, or Elementor) integrated with the plugin.\n*   **Submission Endpoint (CF7 Example):** `\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F\u003CID>\u002Ffeedback`\n*   **Trigger Endpoint (Admin):** `wp-admin\u002Fadmin.php?page=vxcf_leads&action=edit&id=\u003CEntry_ID>`\n*   **Vulnerable Parameter:** The **key** of a POST parameter intended for file uploads (e.g., `vx_file[path\u002Fto\u002Ffile]`).\n*   **Preconditions:** \n    1.  A contact form must be active on the site.\n    2.  An administrator must view or update the malicious entry in the plugin's dashboard.\n\n### 3. Code Flow\n1.  **Submission:** `vxcf_form::create_entry_cf()` (or similar for other form plugins) is triggered via the `wpcf7_before_send_mail` hook.\n2.  **Storage:** The plugin iterates over `$_POST` and `$_FILES`. It saves the submission data, including the attacker's crafted keys, into the `wp_vxcf_leads` table (or similar) as serialized data or JSON.\n3.  **Admin Interaction:** An administrator navigates to the \"CRM Entries\" page and selects the poisoned entry.\n4.  **Processing:** The `vxcf_form_pages::view_page()` (inferred) function is called. It retrieves the stored fields.\n5.  **Sink:** If the admin \"Updates\" the entry or triggers a \"Delete File\" action, the plugin compares the `POST` data against the stored fields. The \"bracket parser\" reshaping allows a manipulated `$_POST` key to be treated as a valid file path from the entry, which is then passed to `unlink()`.\n\n### 4. Nonce Acquisition Strategy\n*   **Unauthenticated Submission:** Contact Form 7 often requires a REST API nonce (`_wpcf7_unit_tag` and potentially a nonce in headers), but it is usually available to anonymous users by fetching the page containing the form.\n*   **Admin Interaction:** Accessing the admin dashboard requires standard session cookies. The \"Update\" or \"Delete\" actions in the admin panel will be protected by a WordPress nonce.\n    *   **Action Name:** `vx_crm_ajax` (for AJAX actions) or standard admin nonces.\n    *   **JS Variable:** Check `window.vxcf_leads_data` or similar localized scripts for `nonce` values.\n\n### 5. Exploitation Strategy\n1.  **Environment Setup:** Create a dummy file to delete: `wp-content\u002Fpwn.txt`.\n2.  **Reconnaissance:**\n    *   Identify an active Contact Form 7 form ID by navigating to the homepage.\n    *   Note the form's required fields (name, email, etc.).\n3.  **Poisoning (Unauthenticated):**\n    *   Submit a POST request to the CF7 endpoint.\n    *   Payload: Include a parameter like `vxcf_file[..\u002F..\u002F..\u002F..\u002Fwp-content\u002Fpwn.txt]=1`.\n4.  **Triggering (Authenticated):**\n    *   Log in as an administrator.\n    *   Navigate to `wp-admin\u002Fadmin.php?page=vxcf_leads`.\n    *   Identify the ID of the new entry.\n    *   Navigate to the Edit page: `wp-admin\u002Fadmin.php?page=vxcf_leads&action=edit&id=\u003CID>`.\n    *   Perform an \"Update\" or trigger the file removal logic.\n5.  **Verification:** Check if `wp-content\u002Fpwn.txt` still exists.\n\n### 6. Test Data Setup\n*   **Plugin Configuration:** Ensure \"Contact Form Entries\" is active and CF7 is installed.\n*   **Target File:** `touch \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fpwn.txt`\n*   **Shortcode Page:** Create a page with a form if none exists:\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[contact-form-7 id=\"FORM_ID\"]'\n    ```\n\n### 7. Expected Results\n*   The unauthenticated submission should return a `200 OK` status with a \"mail_sent\" or \"validation_failed\" response (the plugin saves data even if mail fails).\n*   The admin viewing\u002Fupdating the entry should result in the server calling `unlink()` on the path provided in the bracketed key.\n*   The file `wp-content\u002Fpwn.txt` should be deleted from the filesystem.\n\n### 8. Verification Steps (Post-Exploit)\n```bash\n# Check if the entry was saved in the database\nwp db query \"SELECT * FROM wp_vxcf_leads ORDER BY id DESC LIMIT 1;\"\n\n# Check if the file was deleted\nls \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fpwn.txt\n# Expected: \"ls: cannot access ... No such file or directory\"\n```\n\n### 9. Alternative Approaches\nIf the `view_page` direct trigger fails, investigate the `ajax_actions` function in `includes\u002Fplugin-pages.php`. There may be a `delete_file` action accessible via `admin-ajax.php`. \n*   **Payload for AJAX:** `action=actions_vxcf_leads&action2=delete_file&entry_id=\u003CID>&file_name=..\u002F..\u002F..\u002F..\u002Fwp-content\u002Fpwn.txt`\n*   This would require capturing the `vx_crm_ajax` nonce first.","The 'Database for Contact Form 7' plugin allows unauthenticated attackers to delete arbitrary files on the server (e.g., wp-config.php) via path traversal. This occurs because the plugin stores attacker-supplied file paths from form submissions and subsequently calls unlink() on those paths without validation when an administrator views or updates the entry.","\u002F\u002F includes\u002Fplugin-pages.php lines 1188-1200\n          if(is_array($db_files)){\n          foreach($db_files as $k=>$file){\nif(!isset($_POST['files_'.$name][$k])){   \n    \u002F\u002Fdelete old file\n    if( file_exists($upload['dir'].$file)){\n        \n    @unlink($upload['dir'].$file);    \n    }    \n               }else{ \n             $files[]=$file;      \n               }\n          }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-entries\u002F1.5.1\u002Fincludes\u002Fplugin-pages.php\\t2026-05-17 11:39:12.000000000 +0000\\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-entries\u002F1.5.2\u002Fincludes\u002Fplugin-pages.php\\t2026-06-19 11:39:34.000000000 +0000\\n@@ -1190,11 +1190,11 @@\\n         }\\n           if(is_array($db_files)){\\n           foreach($db_files as $k=>$file){\\n-if(!isset($_POST['files_'.$name][$k])){   \\n+if(!isset($_POST['files_'.$name][$k])){  \\n     \u002F\u002Fdelete old file\\n-    if( file_exists($upload['dir'].$file)){\\n-        \\n-    @unlink($upload['dir'].$file);    \\n+   $real_file=realpath($upload['dir'].$file);\\n+    if( file_exists($real_file) && strpos($real_file,'\u002Fcrm_perks_uploads\u002F') !== false){      \\n+    @unlink($real_file);    \\n     }    \\n                }else{ \\n              $files[]=$file;      \\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-entries\u002F1.5.1\u002Ftemplates\u002Fview.php\\t2026-05-17 11:39:12.000000000 +0000\\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcontact-form-entries\u002F1.5.2\u002Ftemplates\u002Fview.php\\t2026-06-19 11:39:34.000000000 +0000\\n@@ -554,7 +554,7 @@\\n     ?>\\n \u003Cdiv class=\"vx_file_single\">\\n \u003C?php echo esc_url($file_value); ?>  \\n   \u003Cdiv>\\n-  \u003Cinput type=\"hidden\" name=\"files_\u003C?php echo esc_html($f_name.'['.$k.']') ?>\" value=\"\u003C?php echo esc_html($val) ?>\" \u002F>\\n+  \u003Cinput type=\"hidden\" name=\"files_\u003C?php echo esc_html($f_name.'['.str_replace(array(\"[\" , \"]\"),'',$k).']') ?>\" value=\"\u003C?php echo esc_html($val) ?>\" \u002F>\\n   \u003Cinput type=\"file\" id=\"vx_\u003C?php echo esc_html($field['name']); ?>\" \u003C?php echo esc_html($req) ?> class=\"vx_input\" name=\"\u003C?php echo esc_html($f_name).'[]' ?>\" autocomplete=\"off\">\\n  \u003Ca href=\"#\" class=\"vx_del_link vx_float_right vx_remove_file\">\u003C?php _e('Remove','contact-form-entries') ?>\u003C\u002Fa>\\n   \u003C\u002Fdiv>","1. **Unauthenticated Submission:** The attacker identifies a Contact Form 7, WPForms, or Elementor form on the target site and submits a POST request. \n2. **Path Traversal Payload:** The submission includes a field key designed to exploit PHP's bracket parsing, such as `vx_file[..\u002F..\u002F..\u002F..\u002Fwp-config.php]`. The plugin stores this raw path in the database as a file attachment.\n3. **Administrative Trigger:** An administrator logs into the WordPress dashboard and navigates to the 'CRM Entries' page to view or edit the specific submission.\n4. **Execution:** When the administrator performs an update action, the plugin checks if the 'files' stored in the database are present in the current `$_POST` request. Because the attacker's path-based key is not present in the admin's legitimate update request, the plugin assumes the file was deleted by the user and executes `unlink()` on the traversal path, deleting the target file.","gemini-3-flash-preview","2026-06-25 20:03:08","2026-06-25 20:04:52",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-entries\u002Ftags\u002F1.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontact-form-entries.1.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-entries\u002Ftags\u002F1.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcontact-form-entries.1.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcontact-form-entries\u002Ftags"]