WP Contact Form 7 DB Handler Plugin CSRF leading to Arbitrary File Deletion (CVE-2026-6455)

The WP Contact Form 7 DB Handler plugin, up to version 3.0, contains a critical vulnerability that can be exploited by an attacker through Cross-Site Request Forgery (CSRF). Specifically, the process_bulk_action() function lacks proper nonce verification, which can be bypassed by omitting the _wpnonce field. This, combined with unsanitized SQL input and unsafe deserialization of the post_content field, creates a path for arbitrary file deletion. A malicious actor could craft a CSRF page that tricks a logged-in WordPress administrator into triggering a SQL injection and PHP Object Injection, ultimately leading to the deletion of sensitive files on the server. This vulnerability allows the deletion of critical files like wp-config.php or system files, potentially crippling the affected website. The vulnerability is identified as CVE-2026-6455.

Attack Chain

1. Attacker crafts a malicious CSRF HTML page designed to exploit the process_bulk_action() function.
2. The CSRF page is sent to a logged-in WordPress administrator (e.g., via phishing or other social engineering techniques).
3. The administrator unknowingly visits the attacker-controlled page, triggering a POST request to the vulnerable endpoint without a valid nonce (_wpnonce is omitted).
4. The POST request contains a UNION-based SQL injection payload embedded within the request parameters targeting a numeric SQL context (e.g., WHERE ID = $ID). The CHAR() function is used to bypass esc_sql quote-escaping.
5. The SQL injection crafts a malicious serialized PHP array as post_content in the database response.
6. The plugin deserializes the post_content field without proper sanitization.
7. Array values associated with keys containing ys_cfdbh_file are extracted and used as file paths, appended to the uploads directory path.
8. The extracted paths are passed to the wp_delete_file() function without any path traversal validation, resulting in arbitrary file deletion on the server.

Impact

Successful exploitation of CVE-2026-6455 allows an attacker to delete arbitrary files on the WordPress server. This includes critical files such as wp-config.php, which contains database credentials and other sensitive configuration information. The deletion of such files can lead to complete website compromise, data loss, and significant disruption of service. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.

Recommendation

• Apply available patches or updates for the WP Contact Form 7 DB Handler plugin to remediate CVE-2026-6455.
• Deploy the Sigma rule Detect Suspicious POST Requests to WP Contact Form 7 DB Handler to identify potential exploitation attempts targeting the vulnerable endpoint.
• Implement strict input validation and sanitization for user-supplied values used in SQL queries to prevent SQL injection vulnerabilities, as highlighted in the overview of CVE-2026-6455.
• Enforce nonce verification for all administrative actions to mitigate CSRF attacks, as the process_bulk_action() function lacks proper nonce validation.