CVE-2026-9187: CWE-862 Missing Authorization in zealopensource Abandoned Contact Form 7
The Abandoned Contact Form 7 WordPress plugin up to version 2.2 contains a missing authorization vulnerability that allows unauthenticated attackers to delete arbitrary posts. This occurs because the plugin's action__remove_abandoned() function lacks capability checks and nonce validation, and it directly deletes posts based on user-supplied input without verifying post ownership. The vulnerability enables permanent deletion of any post, page, or content via a crafted admin-ajax request.
AI Analysis
Technical Summary
CVE-2026-9187 is a missing authorization vulnerability (CWE-862) in the Abandoned Contact Form 7 plugin for WordPress by zealopensource. Versions up to and including 2.2 are affected. The vulnerability exists in the action__remove_abandoned() function, which is registered to both authenticated and unauthenticated AJAX hooks (wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned). This function accepts a recover_id parameter from POST data and calls wp_delete_post() with force delete enabled, without verifying that the post belongs to the plugin's custom post type or that the request is authorized. Consequently, unauthenticated attackers can delete arbitrary posts or pages permanently by sending a single crafted AJAX request to admin-ajax.php.
Potential Impact
An unauthenticated attacker can permanently delete arbitrary posts, pages, or other content on a vulnerable WordPress site running the affected plugin version. This results in integrity loss of site content. There is no confidentiality or availability impact indicated. The CVSS 3.1 base score is 5.3 (medium severity) reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to admin-ajax.php or disable the Abandoned Contact Form 7 plugin if possible. Monitor for updates from zealopensource and apply official patches once released. Avoid exposing the vulnerable AJAX action to unauthenticated users.
CVE-2026-9187: CWE-862 Missing Authorization in zealopensource Abandoned Contact Form 7
Description
The Abandoned Contact Form 7 WordPress plugin up to version 2.2 contains a missing authorization vulnerability that allows unauthenticated attackers to delete arbitrary posts. This occurs because the plugin's action__remove_abandoned() function lacks capability checks and nonce validation, and it directly deletes posts based on user-supplied input without verifying post ownership. The vulnerability enables permanent deletion of any post, page, or content via a crafted admin-ajax request.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9187 is a missing authorization vulnerability (CWE-862) in the Abandoned Contact Form 7 plugin for WordPress by zealopensource. Versions up to and including 2.2 are affected. The vulnerability exists in the action__remove_abandoned() function, which is registered to both authenticated and unauthenticated AJAX hooks (wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned). This function accepts a recover_id parameter from POST data and calls wp_delete_post() with force delete enabled, without verifying that the post belongs to the plugin's custom post type or that the request is authorized. Consequently, unauthenticated attackers can delete arbitrary posts or pages permanently by sending a single crafted AJAX request to admin-ajax.php.
Potential Impact
An unauthenticated attacker can permanently delete arbitrary posts, pages, or other content on a vulnerable WordPress site running the affected plugin version. This results in integrity loss of site content. There is no confidentiality or availability impact indicated. The CVSS 3.1 base score is 5.3 (medium severity) reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to admin-ajax.php or disable the Abandoned Contact Form 7 plugin if possible. Monitor for updates from zealopensource and apply official patches once released. Avoid exposing the vulnerable AJAX action to unauthenticated users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-21T15:01:06.791Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a30e6730b89be68884f4f74
Added to database: 6/16/2026, 6:00:19 AM
Last enriched: 6/16/2026, 6:15:17 AM
Last updated: 6/16/2026, 7:08:42 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.