CVE-2026-9843

Name of the Vulnerable Software and Affected Versions Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions prior to 1.5.2

Description Insufficient file path validation in the view page() function allows unauthenticated attackers to delete arbitrary files on the server. This occurs when an administrator views or edits a poisoned form entry, causing PHP's bracket parser to reshape an attacker-crafted JSON key. This process bypasses the stored-path isset check and triggers the deletion of a file specified via path traversal. Deleting critical files, such as wp-config.php, can lead to remote code execution.

Recommendations Update the plugin to a version later than 1.5.1.