CVE-2026-6455

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process bulk action() function, the nonce check is only executed when wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc sql quote-escaping) that returns a malicious serialized PHP array as post content; upon deserialization, array values associated with keys containing 'ys cfdbh file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp delete file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).