Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi
CVE-2026-40769

8.6HIGH

Key Information:

Vendor: WordPress
Status: Contact Form Extender For Divi – Save Entries, File Upload & Country Code Field
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-40769?

An unauthenticated arbitrary file deletion vulnerability exists in versions of the Contact Form Extender for Divi, particularly affecting versions up to 1.0.6. This vulnerability can be exploited by unprivileged users, allowing them to delete files on the server without proper authorization. It poses a significant risk as it can lead to loss of important site files and compromise site integrity. Users are advised to update to the latest version and implement security measures to safeguard against potential attacks.

Affected Version(s)

Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1.0.6

References

https://patchstack.com/database/wordpress/plugin/contact-...

vdb-entry

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

babyhack(@OPCIA) | Patchstack Bug Bounty Program

CVE-2026-40769 Data

JSON

WordPress

What is CVE-2026-40769?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit