CVE-2026-6455: CWE-352 Cross-Site Request Forgery (CSRF) in yudiz WP Contact Form 7 DB Handler
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
AI Analysis
Technical Summary
CVE-2026-6455 affects the yudiz WP Contact Form 7 DB Handler WordPress plugin through a missing nonce verification in the process_bulk_action() function. The nonce check is bypassed by omitting the _wpnonce POST field, enabling a CSRF attack. This is combined with an unparameterized SQL query vulnerable to UNION-based SQL injection, allowing an attacker to inject a malicious serialized PHP array into the post_content field. Unsafe deserialization of this data leads to PHP object injection, where file paths derived from the injected data are passed to wp_delete_file() without path traversal validation. This chain of vulnerabilities allows an attacker to delete arbitrary files on the server, including critical WordPress and system files. The vulnerability is rated high severity with a CVSS score of 8.1 and requires user interaction but no privileges.
Potential Impact
Successful exploitation allows an attacker to delete arbitrary files on the affected server, including critical configuration files such as wp-config.php and potentially system files. This compromises the integrity and availability of the WordPress installation and the underlying system. The attack requires a logged-in administrator to be tricked into triggering the malicious request, but no prior privileges or authentication bypass is needed beyond that. There is no confidentiality impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid interacting with untrusted pages while logged into WordPress with administrative privileges. Monitoring for plugin updates from yudiz is recommended to apply any forthcoming official fixes. No vendor advisory or patch links are currently provided.
CVE-2026-6455: CWE-352 Cross-Site Request Forgery (CSRF) in yudiz WP Contact Form 7 DB Handler
Description
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6455 affects the yudiz WP Contact Form 7 DB Handler WordPress plugin through a missing nonce verification in the process_bulk_action() function. The nonce check is bypassed by omitting the _wpnonce POST field, enabling a CSRF attack. This is combined with an unparameterized SQL query vulnerable to UNION-based SQL injection, allowing an attacker to inject a malicious serialized PHP array into the post_content field. Unsafe deserialization of this data leads to PHP object injection, where file paths derived from the injected data are passed to wp_delete_file() without path traversal validation. This chain of vulnerabilities allows an attacker to delete arbitrary files on the server, including critical WordPress and system files. The vulnerability is rated high severity with a CVSS score of 8.1 and requires user interaction but no privileges.
Potential Impact
Successful exploitation allows an attacker to delete arbitrary files on the affected server, including critical configuration files such as wp-config.php and potentially system files. This compromises the integrity and availability of the WordPress installation and the underlying system. The attack requires a logged-in administrator to be tricked into triggering the malicious request, but no prior privileges or authentication bypass is needed beyond that. There is no confidentiality impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid interacting with untrusted pages while logged into WordPress with administrative privileges. Monitoring for plugin updates from yudiz is recommended to apply any forthcoming official fixes. No vendor advisory or patch links are currently provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-16T20:17:12.219Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17efcce29bf47b50bb74e5
Added to database: 5/28/2026, 7:33:32 AM
Last enriched: 5/28/2026, 7:48:44 AM
Last updated: 5/29/2026, 1:35:37 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.