Arbitrary File Deletion Vulnerability in Contact Form Plugins for WordPress
CVE-2026-9843

8.1HIGH

Key Information:

Vendor

WordPress
Status
Database For Contact Form 7, WPforms, Elementor Forms
Vendor
CVE Published:
20 June 2026

What is CVE-2026-9843?

A significant vulnerability exists in multiple WordPress contact form plugins that allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation in the view_page function. When an administrator views or edits a tampered form entry, the vulnerability enables attackers to craft specific JSON keys that bypass security checks, facilitating file deletion. This can potentially lead to serious consequences, including remote code execution if critical files such as wp-config.php are targeted.

Affected Version(s)

Database for Contact Form 7, WPforms, Elementor forms 0 <= 1.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/contact-form-e...
https://plugins.trac.wordpress.org/browser/contact-form-e...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo
.