Cross-Site Request Forgery Vulnerability in Advanced Contact Form 7 DB Plugin for WordPress
CVE-2026-0811

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Contact Form 7 Db
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-0811?

The Advanced Contact Form 7 DB plugin for WordPress contains a security flaw that allows unauthenticated attackers to exploit Cross-Site Request Forgery (CSRF). This issue arises from inadequate nonce validation in the 'vsz_cf7_save_setting_callback' function. Consequently, malicious actors can potentially delete form entries by deceiving site administrators into performing harmful actions, such as clicking on an infected link. It is crucial for users to be aware of this vulnerability and apply necessary updates to safeguard their sites.

Affected Version(s)

Advanced Contact form 7 DB 0 <= 2.0.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-cf7-d...

https://plugins.trac.wordpress.org/changeset/3497481/adva...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Jan 9, 2026

Credit

Kai Aizen

CVE-2026-0811 Data

JSON