CVE-2026-12094: CWE-862 Missing Authorization in iamranit Advanced Contact Form 7 – Compact DB
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.
AI Analysis
Technical Summary
CVE-2026-12094 describes a missing authorization vulnerability (CWE-862) in the Advanced Contact Form 7 - Compact DB plugin for WordPress, affecting versions up to and including 1.0.0. The vulnerability arises because the AJAX handler cf7cdb_ajax_delete_user() is registered for both authenticated and unauthenticated users (wp_ajax_cf7cdb_delete and wp_ajax_nopriv_cf7cdb_delete) without performing nonce verification, capability checks, or ownership validation. This allows unauthenticated attackers to invoke $wpdb->delete() on the wp_cf7cdb_data table with an attacker-controlled integer ID, enabling deletion of arbitrary contact form submission records.
Potential Impact
The vulnerability allows unauthenticated attackers to delete arbitrary data entries stored by the plugin, specifically contact form submission records. There is no impact on confidentiality or availability reported. The integrity of stored contact form data is compromised due to unauthorized deletion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected AJAX endpoints if possible and monitor for suspicious deletion activity. Implementing nonce verification, capability checks, and ownership validation in the cf7cdb_ajax_delete_user() function is necessary to remediate this issue.
CVE-2026-12094: CWE-862 Missing Authorization in iamranit Advanced Contact Form 7 – Compact DB
Description
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12094 describes a missing authorization vulnerability (CWE-862) in the Advanced Contact Form 7 - Compact DB plugin for WordPress, affecting versions up to and including 1.0.0. The vulnerability arises because the AJAX handler cf7cdb_ajax_delete_user() is registered for both authenticated and unauthenticated users (wp_ajax_cf7cdb_delete and wp_ajax_nopriv_cf7cdb_delete) without performing nonce verification, capability checks, or ownership validation. This allows unauthenticated attackers to invoke $wpdb->delete() on the wp_cf7cdb_data table with an attacker-controlled integer ID, enabling deletion of arbitrary contact form submission records.
Potential Impact
The vulnerability allows unauthenticated attackers to delete arbitrary data entries stored by the plugin, specifically contact form submission records. There is no impact on confidentiality or availability reported. The integrity of stored contact form data is compromised due to unauthorized deletion.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected AJAX endpoints if possible and monitor for suspicious deletion activity. Implementing nonce verification, capability checks, and ownership validation in the cf7cdb_ajax_delete_user() function is necessary to remediate this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-12T14:10:35.012Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7810eed863c81e5f718f
Added to database: 06/24/2026, 06:24:16 UTC
Last enriched: 06/24/2026, 06:55:05 UTC
Last updated: 06/24/2026, 19:10:46 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.