What the vulnerability does
01Description
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Advanced Contact Form 7 DB versions up to 2.0.9 lack CSRF protection on form submission and administrative actions. An attacker can craft a malicious webpage that, when visited by a logged-in site admin, performs unwanted form submissions or changes settings without the admin's knowledge. The attack requires the victim to visit the attacker's page while authenticated to the WordPress site.
What an attacker can do
03Attacker Capabilities
Perform unwanted form submissions or modify plugin settings on behalf of a logged-in admin.
Potential impact on your site
04Site Impact
Attackers can submit spam forms, alter contact form settings, or corrupt stored contact data without admin consent.
Conditions required to exploit
05Prerequisites
A logged-in site admin must visit an attacker-controlled webpage while authenticated to WordPress.
Key dates
06Disclosure timeline
April 8, 2026
CVE published
April 8, 2026
Record updated