PatchSiren cyber security CVE debrief

CVE-2026-9187 zealopensource CVE debrief

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.

Vendor: zealopensource
Product: Abandoned Contact Form 7
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-16
Original CVE updated: 2026-06-16
Advisory published: 2026-06-16
Advisory updated: 2026-06-16

Who should care

Users of the Abandoned Contact Form 7 plugin for WordPress, version 2.2 or earlier.

Technical summary

The Abandoned Contact Form 7 plugin for WordPress contains a vulnerability that allows for unauthorized arbitrary post deletion. The vulnerability exists due to a missing capability check and nonce validation in the action__remove_abandoned() function. This function is registered to both wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks, allowing unauthenticated attackers to delete arbitrary posts, pages, or other content by sending a single admin-ajax request.

Defensive priority

High

Recommended defensive actions

Update the Abandoned Contact Form 7 plugin to a version that fixes the vulnerability.
Restrict access to the admin-ajax endpoint to prevent unauthorized requests.

Evidence notes

The vulnerability was reported by [email protected].

Official resources

CVE-2026-9187 was published on 2026-06-16T06:16:58.817Z.