yudiz CVE Debriefs

HIGH yudiz CVE published 2026-05-28

CVE-2026-6455

WP Contact Form 7 DB Handler plugin for WordPress (versions up to and including 3.0) contains a critical vulnerability chain: missing nonce verification enables CSRF, which can trigger SQL injection via unsanitized user input in a numeric WHERE clause, leading to PHP object injection through deserialization of attacker-controlled post_content data, ultimately resulting in arbitrary file deletion via path [truncated]

CVE-2026-6455