PatchSiren cyber security CVE debrief
CVE-2026-12094 iamranit CVE debrief
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. This vulnerability allows unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin. The handler is registered against both `wp_ajax_cf7cdb_delete` and `wp_ajax_nopriv_cf7cdb_delete`, and it performs no nonce verification, no capability check, and no ownership check before invoking `$wpdb->delete()` against the `wp_cf7cdb_data` table with an attacker-supplied integer ID. A CVSS score of 5.3 has been assigned, indicating a Medium severity level.
- Vendor
- iamranit
- Product
- Advanced Contact Form 7 – Compact DB
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-25
Who should care
Administrators and users of the Advanced Contact Form 7 - Compact DB plugin for WordPress should be aware of this vulnerability and take immediate action to protect their installations. This vulnerability can be exploited by unauthenticated attackers, making it a significant concern for WordPress site owners. The vulnerability's impact is limited to the deletion of contact form submission entries, but it could still cause data loss and other issues.
Technical summary
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function. The function is registered for both authenticated and unauthenticated AJAX requests, and it does not perform any verification or checks before deleting data from the `wp_cf7cdb_data` table. This allows attackers to delete arbitrary contact form submission entries by supplying a sequential primary-key ID. The vulnerability has a CVSS score of 5.3 and a Medium severity level.
Defensive priority
High priority should be given to updating the Advanced Contact Form 7 - Compact DB plugin to a version that fixes this vulnerability. Site administrators should also review their contact form submission entries and consider implementing additional security measures to prevent data loss.
Recommended defensive actions
- Update the Advanced Contact Form 7 - Compact DB plugin to the latest version.
- Review contact form submission entries for any suspicious activity.
- Implement additional security measures, such as monitoring and access controls, to prevent data loss.
- Consider using a Web Application Firewall (WAF) to detect and prevent exploitation attempts.
- Keep WordPress and all plugins up-to-date to ensure the latest security patches are applied.
Evidence notes
The CVE-2026-12094 vulnerability was reported by [email protected] and is detailed in the Wordfence threat intelligence database. The vulnerability affects versions up to and including 1.0.0 of the Advanced Contact Form 7 - Compact DB plugin. The CVE record and NVD detail provide additional information on the vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.