Unauthorized Data Deletion Vulnerability in Advanced Contact Form 7 - Compact DB for WordPress
CVE-2026-12094

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Contact Form 7 – Compact Db
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-12094?

The Advanced Contact Form 7 - Compact DB plugin for WordPress contains a vulnerability that allows unauthorized deletion of data. This issue arises from a missing capability check in the cf7cdb_ajax_delete_user() function, along with the absence of nonce verification and ownership checks. As a result, unauthenticated attackers can exploit this flaw by sending specially crafted requests to delete arbitrary entries from the wp_cf7cdb_data table, using sequential primary-key IDs. Users of the plugin are urged to assess their installations and implement necessary security measures to protect their data.

Affected Version(s)

Advanced Contact Form 7 – Compact DB 0 <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-conta...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

YU-SHENG YU

CVE-2026-12094 Data

JSON