WordPress Contact-Form-7-DB v1.5.1: File Deletion Unauth RCE
CVE-2026-9843 Published on June 20, 2026
Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
Timeline
Vendor Notified
Disclosed 22 days later.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-9843 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-9843
Want to know whenever a new CVE is published for Crmperks Database Contact Form 7 Wpforms Elementor Forms? stack.watch will email you.
Affected Versions
crmperks Database for Contact Form 7, WPforms, Elementor forms:- Before and including 1.5.1 is affected.