Severity: High (CVSS 8.1)
Affected Systems: Crmperks Database For Contact Form 7, Wpforms, Elementor Forms; Wordpress Wordpress
Overview
Database for Contact Form 7, WPforms, Elementor forms
A high vulnerability identified as CVE-2026-9843 has been disclosed.
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
Risk
CVSS and CISA data indicate the following:
- Review the OpenCVE and vendor advisory for exploit conditions and impact
OpenCVE Analysis
CVSS v4.0 N/ACVSS v3.1 8.1 HighCVSS v3.0 N/ACVSS v2 N/AKEV noEPSS noSSVC no
- OpenCVE title: Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
- Severity score: High (CVSS 8.1)
- Weaknesses: CWE-22
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | High |
| Availability Impact | High |
Required Action
Review the OpenCVE detail page and linked vendor advisory, then apply the vendor-provided update or mitigation for the affected product.
Prioritize systems where the affected product is internet-facing, handles authentication, or runs with elevated privileges.
Verify Updates
Confirm whether your environment uses the affected product(s): Crmperks Database For Contact Form 7, Wpforms, Elementor Forms; Wordpress Wordpress.
After remediation, verify the installed version against the fixed or unaffected versions listed by the vendor.
Temporary Mitigation (if patch is not available)
Use the mitigation published by the vendor. If no vendor mitigation is available, reduce exposure to the affected product, restrict access to trusted users or networks, and increase monitoring until an update can be applied.
Recommendation
- Use OpenCVE, vendor, and source references as the source of truth for affected versions and remediation
- Patch or mitigate affected products after confirming exposure in your environment
- Monitor affected systems for unusual activity until remediation is complete
Support
If you require assistance, please contact our support team.
Immediate action is strongly recommended to protect your infrastructure.
Source Details
Customer Responsibility and Backups
Before applying updates, mitigations, or configuration changes, customers should take and verify current backups or snapshots of affected systems.
Customers are responsible for managing their servers, validating their own backups, testing changes, and ensuring they can restore services if an update or mitigation causes an issue.
Saturday, June 20, 2026
