CVE-2026-40769 HIGH

CVE-2026-40769: WordPress Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin <= 1.0.6 - Arbitrary File Deletion vulnerability

Vendor Satinder Singh
Product Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field
Weakness CWE-22 · Path traversal
Published June 15, 2026
Last update June 15, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field <= 1.0.6 versions.

Explanation of Vulnerability in Simple Terms

02Summary

Contact Form Extender for Divi versions up to 1.0.6 contain a path traversal vulnerability in file upload handling. An attacker can craft malicious file paths to write files outside the intended upload directory, potentially overwriting critical site files or injecting malicious code. No authentication is required to exploit this flaw.

What an attacker can do

03Attacker Capabilities

Write files to arbitrary locations on the server, potentially overwriting site files or injecting malicious code.

Potential impact on your site

04Site Impact

Attackers can modify or delete site files, inject malware, or compromise site functionality without needing a user account.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published

Related vulnerabilities

08Related CVE