{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-contact-form-7-db-handler-plugin--3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6455"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP Contact Form 7 DB Handler plugin (\u003c= 3.0)"],"_cs_severities":["high"],"_cs_tags":["cve","csrf","sqli","php object injection","wordpress"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Contact Form 7 DB Handler plugin, up to version 3.0, contains a critical vulnerability that can be exploited by an attacker through Cross-Site Request Forgery (CSRF). Specifically, the \u003ccode\u003eprocess_bulk_action()\u003c/code\u003e function lacks proper nonce verification, which can be bypassed by omitting the \u003ccode\u003e_wpnonce\u003c/code\u003e field. This, combined with unsanitized SQL input and unsafe deserialization of the \u003ccode\u003epost_content\u003c/code\u003e field, creates a path for arbitrary file deletion. A malicious actor could craft a CSRF page that tricks a logged-in WordPress administrator into triggering a SQL injection and PHP Object Injection, ultimately leading to the deletion of sensitive files on the server. This vulnerability allows the deletion of critical files like \u003ccode\u003ewp-config.php\u003c/code\u003e or system files, potentially crippling the affected website. The vulnerability is identified as CVE-2026-6455.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious CSRF HTML page designed to exploit the \u003ccode\u003eprocess_bulk_action()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe CSRF page is sent to a logged-in WordPress administrator (e.g., via phishing or other social engineering techniques).\u003c/li\u003e\n\u003cli\u003eThe administrator unknowingly visits the attacker-controlled page, triggering a POST request to the vulnerable endpoint without a valid nonce (\u003ccode\u003e_wpnonce\u003c/code\u003e is omitted).\u003c/li\u003e\n\u003cli\u003eThe POST request contains a UNION-based SQL injection payload embedded within the request parameters targeting a numeric SQL context (e.g., \u003ccode\u003eWHERE ID = $ID\u003c/code\u003e). The CHAR() function is used to bypass \u003ccode\u003eesc_sql\u003c/code\u003e quote-escaping.\u003c/li\u003e\n\u003cli\u003eThe SQL injection crafts a malicious serialized PHP array as \u003ccode\u003epost_content\u003c/code\u003e in the database response.\u003c/li\u003e\n\u003cli\u003eThe plugin deserializes the \u003ccode\u003epost_content\u003c/code\u003e field without proper sanitization.\u003c/li\u003e\n\u003cli\u003eArray values associated with keys containing \u003ccode\u003eys_cfdbh_file\u003c/code\u003e are extracted and used as file paths, appended to the uploads directory path.\u003c/li\u003e\n\u003cli\u003eThe extracted paths are passed to the \u003ccode\u003ewp_delete_file()\u003c/code\u003e function without any path traversal validation, resulting in arbitrary file deletion on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6455 allows an attacker to delete arbitrary files on the WordPress server. This includes critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and other sensitive configuration information. The deletion of such files can lead to complete website compromise, data loss, and significant disruption of service. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for the WP Contact Form 7 DB Handler plugin to remediate CVE-2026-6455.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious POST Requests to WP Contact Form 7 DB Handler\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for user-supplied values used in SQL queries to prevent SQL injection vulnerabilities, as highlighted in the overview of CVE-2026-6455.\u003c/li\u003e\n\u003cli\u003eEnforce nonce verification for all administrative actions to mitigate CSRF attacks, as the \u003ccode\u003eprocess_bulk_action()\u003c/code\u003e function lacks proper nonce validation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T08:18:45Z","date_published":"2026-05-28T08:18:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wp-contact-form-7-db-handler-csrf/","summary":"The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.","title":"WP Contact Form 7 DB Handler Plugin CSRF leading to Arbitrary File Deletion (CVE-2026-6455)","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-contact-form-7-db-handler-csrf/"}],"language":"en","title":"CraftedSignal Threat Feed — WP Contact Form 7 DB Handler Plugin (\u003c= 3.0)","version":"https://jsonfeed.org/version/1.1"}