[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSCpyouzRyMX0ipnMVXZ1QheHC9osp9qdumkpdfUFXI4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-6455","wp-contact-form-7-db-handler-cross-site-request-forgery-to-arbitrary-file-deletion-via-contactform-parameter","WP Contact Form 7 DB Handler \u003C= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter","The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).","wp-contact-form-7-db-handler",null,"\u003C=3.0","3.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2026-05-27 18:05:02","2026-05-28 06:45:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F96cdba03-7385-4374-915d-061be0276a95?source=api-prod",1,[22,23,24,25,26],"include\u002Fdownload-file-class.php","include\u002Fform-details-page-class.php","include\u002Fform-inner-page-class.php","readme.txt","wp-contact-form-7-db-handler.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, functional payloads, or step-by-step guides for exploiting specific vulnerabilities. I can, however, explain the general mechanics of the vulnerabilities mentioned or discuss defensive measures and secure coding practices to prevent them.\n\nTo secure WordPress plugins against the types of issues described in CVE-2026-6455, developers should adhere to the following security principles:\n\n1.  **Nonce Verification:** Always use WordPress nonces (`wp_create_nonce` and `wp_verify_nonce` or `check_admin_referer`) for every state-changing request (POST, GET, or AJAX). Verification must be mandatory and should not be conditional on the presence of the nonce field itself.\n2.  **SQL Preparation:** Use `$wpdb->prepare()` for all database queries involving user input. Never concatenate variables directly into SQL strings. For numeric values, ensure strict type casting (e.g., `(int)`) or use the `%d` placeholder.\n3.  **Safe Deserialization:** Avoid using `unserialize()` on data that could be influenced by a user. Use safer alternatives like `json_decode()` and `json_encode()` for storing structured data.\n4.  **File System Security:** When handling file paths provided by users or retrieved from a database, validate the paths to prevent directory traversal. Use `basename()` to strip path information and verify that the resulting file exists within the intended directory.\n5.  **Principle of Least Privilege:** Ensure that administrative functions check for the appropriate capabilities using `current_user_can()` before executing any sensitive logic.\n\nFor further learning on securing WordPress plugins, you may find the following resources helpful:\n*   The [WordPress Plugin Handbook section on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).\n*   OWASP guidance on [Cross-Site Request Forgery (CSRF) Prevention](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).\n*   OWASP guidance on [SQL Injection Prevention](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FSQL_Injection_Prevention_Cheat_Sheet.html).","The WP Contact Form 7 DB Handler plugin is vulnerable to a multi-stage attack where a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to trigger an unparameterized SQL Injection. By exploiting this SQL Injection through a UNION-based payload, an attacker can control the input to a PHP `unserialize()` call, ultimately leading to arbitrary file deletion on the server via path traversal in the file cleanup logic.","\u002F\u002F include\u002Fform-inner-page-class.php (v3.0)\npublic function process_bulk_action()\n{\n\n    global $wpdb;\n    $table_name = $wpdb->prefix . 'posts';\n    $action     = $this->current_action();\n\n    if (isset($_POST['_wpnonce']) && ! empty($_POST['_wpnonce'])) {\n        $nonce        = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING);\n        $nonce_action = 'bulk-' . $this->_args['plural'];\n\n        if (!wp_verify_nonce($nonce, $nonce_action)) {\n            wp_die('Not valid..!!');\n        }\n    }\n\n    if ('delete' === $action) {\n        if (isset($_POST['contact_form'])) {\n            $postIds = esc_sql(wp_unslash($_POST['contact_form']));\n\n            $delete_count = 0;\n            foreach ($postIds as $ID):\n\n                $results       = $wpdb->get_results(\"SELECT * FROM $table_name WHERE ID = $ID AND post_type = 'ys_cfdbh' LIMIT 1\", OBJECT);\n                $result_value  = $results[0]->post_content;\n                $result_values = unserialize($result_value);\n                $upload_dir    = wp_upload_dir();\n                $ID   =  $results[0]->ID;\n                $ys_cfdbh_dirname = $upload_dir['basedir'] . '\u002Fys_cfdbh_uploads';\n\n                foreach ($result_values as $key => $result) {\n\n                    if (strpos($key, 'ys_cfdbh_file') !== false) {\n                        $file_path = $ys_cfdbh_dirname . '\u002F' . $result;\n                        if (file_exists($file_path)) {\n                            wp_delete_file($file_path);\n                        }\n                    }\n                }\n\n                $wpdb->delete(\n                    $table_name,\n                    array('ID' => $ID),\n                    array('%d')\n                );\n                $delete_count++;\n\n            endforeach;\n        }\n\u002F\u002F ...","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-db-handler\u002F3.0\u002Finclude\u002Fform-inner-page-class.php\\t2025-10-24 09:22:52.000000000 +0000\\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-db-handler\u002F3.1\u002Finclude\u002Fform-inner-page-class.php\\t2026-05-01 09:39:24.000000000 +0000\\n@@ -579,57 +579,76 @@\\n     }\\n \\n     \u002F*\u002F Define bulk action \u002F*\u002F\\n-    public function process_bulk_action()\\n-    {\\n-\\n-        global $wpdb;\\n-        $table_name = $wpdb->prefix . 'posts';\\n-        $action     = $this->current_action();\\n-\\n-        if (isset($_POST['_wpnonce']) && ! empty($_POST['_wpnonce'])) {\\n-            $nonce        = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING);\\n-            $nonce_action = 'bulk-' . $this->_args['plural'];\\n-\\n-            if (!wp_verify_nonce($nonce, $nonce_action)) {\\n-                wp_die('Not valid..!!');\\n-            }\\n-        }\\n-\\n-        if ('delete' === $action) {\\n-            if (isset($_POST['contact_form'])) {\\n-                $postIds = esc_sql(wp_unslash($_POST['contact_form']));\\n-\\n-                $delete_count = 0;\\n-                foreach ($postIds as $ID):\\n-\\n-                    $results       = $wpdb->get_results(\"SELECT * FROM $table_name WHERE ID = $ID AND post_type = 'ys_cfdbh' LIMIT 1\", OBJECT);\\n-                    $result_value  = $results[0]->post_content;\\n-                    $result_values = unserialize($result_value);\\n-                    $upload_dir    = wp_upload_dir();\\n-                    $ID   =  $results[0]->ID;\\n-                    $ys_cfdbh_dirname = $upload_dir['basedir'] . '\u002Fys_cfdbh_uploads';\\n-\\n-                    foreach ($result_values as $key => $result) {\\n-\\n-                        if (strpos($key, 'ys_cfdbh_file') !== false) {\\n-                            $file_path = $ys_cfdbh_dirname . '\u002F' . $result;\\n-                            if (file_exists($file_path)) {\\n-                                wp_delete_file($file_path);\\n-                            }\\n-                        }\\n-                    }\\n-\\n-                    $wpdb->delete(\\n-                        $table_name,\\n-                        array('ID' => $ID),\\n-                        array('%d')\\n-                    );\\n-                    $delete_count++;\\n-\\n-                endforeach;\\n-            }\\n-            \u002F*\u002F updeate count value in for submitions \u002F*\u002F\\n-            if ($this->form_post_id) {\\n+    public function process_bulk_action()\\n+    {\\n+        global $wpdb;\\n+        $table_name = $wpdb->posts;\\n+        $action     = $this->current_action();\\n+\\n+        if (! in_array($action, array('delete', 'read', 'unread'), true)) {\\n+            return;\\n+        }\\n+\\n+        check_admin_referer('bulk-' . $this->_args['plural']);\\n+\\n+        $postIds = array();\\n+        if (isset($_POST['contact_form']) && is_array($_POST['contact_form'])) {\\n+            $postIds = array_filter(\\n+                array_map('absint', wp_unslash($_POST['contact_form']))\\n+            );\\n+        }\\n+\\n+        if ('delete' === $action) {\\n+            if (! empty($postIds)) {\\n+                $upload_dir        = wp_upload_dir();\\n+                $ys_cfdbh_dirname = $upload_dir['basedir'] . '\u002Fys_cfdbh_uploads';\\n+                $uploads_root     = realpath($ys_cfdbh_dirname);\\n+                $uploads_root     = $uploads_root ? wp_normalize_path($uploads_root) : '';\\n+                $delete_count     = 0;\\n+\\n+                foreach ($postIds as $ID) {\\n+                    $result = $wpdb->get_row(\\n+                        $wpdb->prepare(\\n+                            \"SELECT ID, post_content FROM {$table_name} WHERE ID = %d AND post_type = 'ys_cfdbh' LIMIT 1\",\\n+                            $ID\\n+                        ),\\n+                        OBJECT\\n+                    );\\n+\\n+                    if (! $result) {\\n+                        continue;\\n+                    }\\n+\\n+                    $result_values = ys_cfdbh_unserialize_array($result->post_content);\\n+\\n+                    foreach ($result_values as $key => $file_name) {\\n+                        if (strpos($key, 'ys_cfdbh_file') === false || ! is_string($file_name) || $file_name === '' || $uploads_root === '') {\\n+                            continue;\\n+                        }","The exploit targets the `process_bulk_action()` function via a CSRF vector against an administrative user. \n\n1.  **CSRF Bypass**: The plugin only verifies the nonce if the `_wpnonce` field is present in the POST body. By omitting the `_wpnonce` field entirely, the check is bypassed.\n2.  **SQL Injection**: The `contact_form` parameter is an array of IDs used in a raw SQL query (`WHERE ID = $ID`). An attacker provides a payload like `-1 UNION SELECT ...` for one of the array elements.\n3.  **PHP Object Injection**: The UNION SELECT is crafted to return a specific serialized string in the `post_content` column. Because the plugin calls `unserialize()` on this query result, the attacker controls the structure of the resulting PHP array.\n4.  **Arbitrary File Deletion**: The attacker includes a key in the serialized array containing the string 'ys_cfdbh_file' (e.g., `ys_cfdbh_file_poc`). The value associated with this key is a relative path (e.g., `..\u002F..\u002Fwp-config.php`). The plugin appends this value to the uploads directory path and passes it to `wp_delete_file()`, deleting the specified file.","gemini-3-flash-preview","2026-06-04 16:57:00","2026-06-04 16:58:43",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-db-handler\u002Ftags\u002F3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-db-handler.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-db-handler\u002Ftags\u002F3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-db-handler.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-db-handler\u002Ftags"]