CVE-2026-9187

{"id": "CVE-2026-9187", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-9187", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-16T12:37:23.714180Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "zealopensource", "product": "Abandoned Contact Form 7", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-16T06:16:58.817", "references": [{"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L49", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L65", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L68", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a38ebdeb-6ab8-4f1d-9c13-39211a9e97b6?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax."}], "lastModified": "2026-06-17T11:04:54.927", "sourceIdentifier": "security@wordfence.com"}