Cross-Site Request Forgery in WP Contact Form 7 DB Handler Plugin by WordPress
CVE-2026-6455

8.1HIGH

Key Information:

Vendor: WordPress
Status: WP Contact Form 7 Db Handler
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-6455?

The WP Contact Form 7 DB Handler plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) exploitation, resulting in Arbitrary File Deletion through SQL Injection and PHP Object Injection vulnerabilities. This issue arises from inadequate nonce verification in the process_bulk_action() function, allowing attackers to bypass checks by omitting the _wpnonce field. By leveraging an unvalidated user-supplied value in a SQL context, an attacker could inject a malicious SQL command that is executed on behalf of a logged-in administrator, enabling the deletion of arbitrary files, including sensitive system files and configurations.

Affected Version(s)

WP Contact Form 7 DB Handler 0 <= 3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-contact-for...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Louis Deschanel

Pascal SUN

CVE-2026-6455 Data

JSON