[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHBRzljVkQkutsRfAKWOt08X3EVKVLmIhilyb3_jfuUs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-32496","spam-protect-for-contact-form-7-authenticated-editor-arbitrary-file-deletion","Spam Protect for Contact Form 7 \u003C= 1.2.9 - Authenticated (Editor+) Arbitrary File Deletion","The Spam Protect for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","wp-contact-form-7-spam-blocker",null,"\u003C=1.2.9","1.2.10","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-03-20 00:00:00","2026-03-27 18:33:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F76421c8e-de5f-4469-9a32-09976de873b4?source=api-prod",8,[22,23,24],"README.txt","admin\u002Fclass-admin.php","spam-protect-for-contact-form7.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-32496\n\n## 1. Vulnerability Summary\nThe **Spam Protect for Contact Form 7** plugin (versions \u003C= 1.2.9) is vulnerable to **Arbitrary File Deletion** due to a path traversal flaw in its log management logic. The plugin allows users to define a custom filename for spam logs and provides a feature to \"erase\" this log file. Because the plugin insufficiently validates the file path before passing it to the PHP `unlink()` function, an authenticated attacker with **Editor** privileges or higher can delete sensitive files (like `wp-config.php`) by providing a malicious path such as `..\u002Fwp-config.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** WordPress Admin Panel, specifically the Contact Form 7 (CF7) editor page.\n- **Action\u002FHook:** `wpcf7_after_save` action hook, which triggers the plugin's `spcf7_plugin_save_contact_form` method.\n- **Vulnerable Parameter:** `wpcf7_block_log_filename`.\n- **Trigger Parameter:** A parameter to trigger the log erasure (inferred as `wpcf7_erase_log` or `wpcf7_erase_logfile`).\n- **Required Role:** Authenticated **Editor** or higher (as they can edit CF7 forms).\n- **Preconditions:**\n    1. The plugin **Spam Protect for Contact Form 7** must be active.\n","The Spam Protect for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 1.2.9 due to path traversal in its log management feature. Authenticated attackers with Editor-level access or higher can exploit this by supplying a malicious file path in the log filename parameter and triggering the log erasure functionality, potentially leading to the deletion of critical files like wp-config.php.","\u002F\u002F admin\u002Fclass-admin.php line 273\n        \u002F\u002F Log filename\n        $wpcf7_block_log_filename = sanitize_text_field( preg_replace('\u002F[\\x00-\\x1F\\x80-\\xFF]\u002F', '', $_POST['wpcf7_block_log_filename'] ) );\n        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));\n\n        \u002F\u002FErase Log\n        $erase_log = sanitize_text_field($_POST['wpcf7_block_log_erase']);\n        if ($erase_log == \"1\"){\n            if ($wpcf7_block_log_filename != \"\"){\n                unlink(\"..\u002Fwp-content\u002F\".$wpcf7_block_log_filename);\n            }else{\n                $log_handle = fopen(\"..\u002Fwp-content\u002Fspcf_spam_block.log\", \"w\" );\n                fclose($log_handle);\n            }\n        }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.9\u002Fadmin\u002Fclass-admin.php\t2025-08-16 18:17:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.10\u002Fadmin\u002Fclass-admin.php\t2026-02-06 21:29:26.000000000 +0000\n@@ -83,6 +83,8 @@\n         $can_send_request = false;\n \n         if ($wpcf7_block_log_filename != \"\") { $log_file_size = filesize(\"..\u002Fwp-content\u002F\".$wpcf7_block_log_filename); }else{ $log_file_size = filesize(\"..\u002Fwp-content\u002Fspcf_spam_block.log\"); }\n+        if (empty($wpcf7_block_log_filename)) { $wpcf7_block_log_filename = \"spcf_spam_block.log\"; }\n+\n         $log_file_size_str = 0;\n         if ($log_file_size > 0 && $log_file_size \u003C 1024000){\n             $log_file_size_str = round($log_file_size \u002F1024, 2).\" KB\";\n@@ -184,8 +186,8 @@\n                 \u003Cdiv class=\"block-error-msg\">\n                     \u003Ch3 class=\"blocker-7-setting second\">Set your log file filename. \u003Cspan>\u003Csmall>(optional)\u003C\u002Fsmall>\u003C\u002Fspan>\u003C\u002Fh3>\n                     \u003Cp>\u003Csmall class=\"blocker-7-setting-small\">\n-                        Please specify the filename you prefer for storing the log. For instance, 'spcf_spam_block.log' (recommended), 'mylog.txt,' or '[random-secret-name].html.' \u003Cbr>\n-                    You may leave this field blank to use the default value. Utilize this field to manage different log files for multiple contact forms across your site. \u003Cbr>\n+                    Please specify the filename you prefer for storing the log. For instance, 'spcf_spam_block.log' (recommended), 'myform.log,' or '[random-name].log', extension must always be (.log). \u003Cbr>\n+                    You may leave this field blank to use the default value 'spcf_spam_block.log'. You can utilize this field to manage different log files for multiple contact forms across your site. \u003Cbr>\n                     IMPORTANT: Ensure your server supports MIME file extensions for download or viewing, and ensure the file does already exist or is being used by another plugin.\n                     \u003C\u002Fsmall>\u003C\u002Fp>\n                     \u003Cinput type=\"text\" name=\"wpcf7_block_log_filename\" id=\"wpcf7-block-log-filename-id\" \n@@ -271,7 +273,17 @@\n \n         \u002F\u002F Log filename\n         $wpcf7_block_log_filename = sanitize_text_field( preg_replace('\u002F[\\x00-\\x1F\\x80-\\xFF]\u002F', '', $_POST['wpcf7_block_log_filename'] ) );\n-        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));\n+        \u002F\u002F Ensure filename is not empty and ends with .log\n+        if (!empty($wpcf7_block_log_filename)) {\n+            \u002F\u002F Ensure filename ends with .log\n+            if (pathinfo($wpcf7_block_log_filename, PATHINFO_EXTENSION) !== 'log') {\n+                $wpcf7_block_log_filename .= '.log';\n+            }\n+        } else {\n+            $wpcf7_block_log_filename = \"spcf_spam_block.log\";\n+        }\n+        \n+        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));        \n \n         \u002F\u002FErase Log\n         $erase_log = sanitize_text_field($_POST['wpcf7_block_log_erase']);","To exploit this vulnerability, an authenticated attacker with Editor privileges or higher (who has permission to edit Contact Form 7 forms) must submit a POST request to save a form's settings. This request is typically directed to wp-admin\u002Fadmin.php and triggers the wpcf7_after_save hook. The attacker includes the wpcf7_block_log_filename parameter set to a path traversal string targeting a sensitive file (e.g., ..\u002Fwp-config.php) and sets the wpcf7_block_log_erase parameter to 1. Because the plugin does not validate the filename for directory traversal sequences before passing it to the unlink() function, the specified file is deleted from the server.","gemini-3-flash-preview","2026-04-18 01:42:26","2026-04-18 01:43:13",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.2.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags\u002F1.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-spam-blocker.1.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags\u002F1.2.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-spam-blocker.1.2.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags"]