CVE-2026-9187
Received Received - Intake
Arbitrary Post Deletion in Abandoned Contact Form 7 WordPress Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-9187
EUVD
EUVD-2026-37032
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpres_plugin abandoned_contact_form_7 to 2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Abandoned Contact Form 7 plugin for WordPress has a vulnerability in versions up to and including 2.2 that allows unauthorized arbitrary post deletion. This happens because the function action__remove_abandoned() lacks proper capability checks and nonce validation. It accepts a user-supplied recover_id parameter from a POST request and passes it directly to the wp_delete_post() function with the force-delete flag enabled, without verifying if the post ID belongs to the plugin's own post type. As a result, unauthenticated attackers can permanently delete any posts, pages, or other content on the affected WordPress site by sending a single specially crafted admin-ajax request.

Impact Analysis

This vulnerability can lead to permanent deletion of arbitrary posts, pages, or other content on a WordPress site using the affected plugin. Since the deletion can be performed by unauthenticated attackers, it poses a significant risk of data loss and content disruption. The integrity and availability of website content can be compromised, potentially affecting the site's operation and user trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart