CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb ajax delete user() function in versions up to, and including, 1.0.0. The handler is registered against both wp ajax cf7cdb delete and wp ajax nopriv cf7cdb delete, and it performs no nonce verification, no capability check, and no ownership check before invoking $wpdb->delete() against the wp cf7cdb data table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.