CVE-2021-24905

Name of the Vulnerable Software and Affected Versions Advanced Contact form 7 DB WordPress plugin versions prior to 1.8.7

Description The issue allows any authenticated user to delete arbitrary files on the web server due to the lack of authorization and CSRF checks in the acf7 db edit scr file delete AJAX action, and failure to validate the file to be deleted. This can lead to significant consequences, such as removing the wp-config.php file, which enables attackers to trigger WordPress setup again. As a result, attackers can gain administrator privileges, execute arbitrary code, or display arbitrary content to users.

Recommendations For versions prior to 1.8.7, update to version 1.8.7 or later to resolve the issue. As a temporary workaround, consider disabling the acf7 db edit scr file delete AJAX action until a patch is available.