CVE-2026-9187
Deferred Deferred - Pending Action

Arbitrary Post Deletion in Abandoned Contact Form 7 WordPress Plugin

Vulnerability report for CVE-2026-9187, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpres_plugin abandoned_contact_form_7 to 2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Abandoned Contact Form 7 plugin for WordPress has a vulnerability in versions up to and including 2.2 that allows unauthorized arbitrary post deletion. This happens because the function action__remove_abandoned() lacks proper capability checks and nonce validation. It accepts a user-supplied recover_id parameter from a POST request and passes it directly to the wp_delete_post() function with the force-delete flag enabled, without verifying if the post ID belongs to the plugin's own post type. As a result, unauthenticated attackers can permanently delete any posts, pages, or other content on the affected WordPress site by sending a single specially crafted admin-ajax request.

Impact Analysis

This vulnerability can lead to permanent deletion of arbitrary posts, pages, or other content on a WordPress site using the affected plugin. Since the deletion can be performed by unauthenticated attackers, it poses a significant risk of data loss and content disruption. The integrity and availability of website content can be compromised, potentially affecting the site's operation and user trust.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized POST requests to the admin-ajax.php endpoint with the action parameter set to remove_abandoned.

Specifically, look for POST requests containing the recover_id parameter targeting the wp_ajax_remove_abandoned or wp_ajax_nopriv_remove_abandoned hooks.

You can use network monitoring tools or web server logs to identify such suspicious requests.

Example command to search web server logs for such requests (assuming Apache logs):

  • grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=remove_abandoned'

Alternatively, use tools like tcpdump or Wireshark to capture and filter HTTP POST requests containing the action=remove_abandoned parameter.

Mitigation Strategies

Immediate mitigation steps include updating the Abandoned Contact Form 7 plugin to a version later than 2.2 where this vulnerability is fixed.

If an update is not immediately available, restrict access to admin-ajax.php or disable the vulnerable hooks by applying custom code or security plugins that block unauthorized requests to the remove_abandoned action.

Additionally, implement web application firewall (WAF) rules to block unauthenticated POST requests attempting to invoke the remove_abandoned action.

Regularly back up your WordPress site to recover any content that might be deleted due to exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart