Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 23 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Wordpress
Wordpress wordpress Zealopensource Zealopensource abandoned Contact Form 7 |
|
| Vendors & Products |
Wordpress
Wordpress wordpress Zealopensource Zealopensource abandoned Contact Form 7 |
Tue, 16 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 16 Jun 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. | |
| Title | Abandoned Contact Form 7 <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via 'recover_id' Parameter | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-06-16T12:37:54.599Z
Reserved: 2026-05-21T15:01:06.791Z
Link: CVE-2026-9187
Updated: 2026-06-16T12:37:47.656Z
Status : Deferred
Published: 2026-06-16T06:16:58.817
Modified: 2026-06-16T15:22:49.577
Link: CVE-2026-9187
No data.
OpenCVE Enrichment
Updated: 2026-06-23T21:06:12Z