PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6455 yudiz CVE debrief

WP Contact Form 7 DB Handler plugin for WordPress (versions up to and including 3.0) contains a critical vulnerability chain: missing nonce verification enables CSRF, which can trigger SQL injection via unsanitized user input in a numeric WHERE clause, leading to PHP object injection through deserialization of attacker-controlled post_content data, ultimately resulting in arbitrary file deletion via path manipulation in file-handling logic. The CVSS 3.1 score of 8.1 (High) reflects network attack vector, low attack complexity, no privileges required, user interaction required, and high impact to integrity and availability. The vulnerability was published to CVE on 2026-05-28 and modified the same day. No KEV listing or known ransomware campaign use has been identified.

Vendor
yudiz
Product
WP Contact Form 7 DB Handler
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using WP Contact Form 7 DB Handler plugin; security teams managing WordPress installations; web application firewall operators; incident response teams tracking WordPress plugin vulnerabilities; compliance officers responsible for vulnerability management programs

Technical summary

The vulnerability exists in the process_bulk_action() function where nonce verification is only performed when _wpnonce is present in POST data, allowing trivial bypass by omitting the parameter. The function uses unsanitized, unparameterized user-supplied $ID values in SQL queries (WHERE ID = $ID), enabling UNION-based SQL injection using CHAR() to bypass esc_sql() quote escaping. Query results are deserialized without safe unserialization controls, and array keys containing 'ys_cfdbh_file' trigger file deletion via wp_delete_file() with path traversal vulnerabilities, allowing deletion of arbitrary server files including wp-config.php.

Defensive priority

critical

Recommended defensive actions

  • Immediately upgrade WP Contact Form 7 DB Handler plugin to version 3.0.1 or later if available, or remove the plugin if no patch exists
  • Implement Web Application Firewall (WAF) rules to detect and block CSRF attempts targeting administrative endpoints with missing nonce parameters
  • Deploy database query monitoring to identify anomalous UNION-based SQL injection patterns using CHAR() functions
  • Enable PHP object deserialization monitoring and restrict unserialize() operations to allowed classes only
  • Review and harden file deletion operations in custom plugins to validate paths against allowed directories and prevent directory traversal
  • Conduct security assessment of all WordPress administrative functions to verify proper nonce verification implementation
  • Apply principle of least privilege to WordPress administrator accounts and implement multi-factor authentication
  • Monitor for indicators of compromise including unexpected file deletions, particularly wp-config.php or system files

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details including affected function (process_bulk_action()), vulnerable lines (589, 605, 607, 615), and attack chain (CSRF → SQL injection via CHAR() bypass → PHP object injection → arbitrary file deletion) derived from Wordfence security advisory and WordPress plugin repository source code references. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H confirmed from NVD source data. CWE-352 (Cross-Site Request Forgery) identified as primary weakness. Vendor attribution marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.

Official resources

2026-05-28