CVE-2026-12094
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to and including 1.0.0. The function does not perform nonce verification, capability checks, or ownership checks before deleting data from the wp_cf7cdb_data table.
Risk Assessment
Attackers can delete arbitrary contact form submission entries stored by the plugin, leading to data loss and potential integrity issues within the organization.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and implement additional security measures such as nonce verification and capability checks.
Original NVD description (English source)
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.

