CVE-2026-0811 MEDIUM

CVE-2026-0811: Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion

Vendor Vsourz1Td
Product Advanced Contact form 7 DB
Weakness CWE-352 · CSRF
Published April 8, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Advanced Contact Form 7 DB versions up to 2.0.9 lack CSRF protection on form submission and administrative actions. An attacker can craft a malicious webpage that, when visited by a logged-in site admin, performs unwanted form submissions or changes settings without the admin's knowledge. The attack requires the victim to visit the attacker's page while authenticated to the WordPress site.

What an attacker can do

03Attacker Capabilities

Perform unwanted form submissions or modify plugin settings on behalf of a logged-in admin.

Potential impact on your site

04Site Impact

Attackers can submit spam forms, alter contact form settings, or corrupt stored contact data without admin consent.

Conditions required to exploit

05Prerequisites

A logged-in site admin must visit an attacker-controlled webpage while authenticated to WordPress.

Key dates

06Disclosure timeline

April 8, 2026 CVE published
April 8, 2026 Record updated