Security Advisory ยท Published 2026-05-28
CVE-2026-6455: One Click Deletes Your wp-config.php - And You Won't See It Coming
I just finished tracing this attack chain and I need you to hear this clearly:
if you're running the WP Contact Form 7 DB Handler plugin (version 3.0 or below),
an attacker can trick you into clicking a single link - and that click deletes
wp-config.php off your server. Your site goes down. Your database credentials
are gone. Your recovery window is however fast you can restore from backup.
And the kicker? The attacker doesn't need an account on your site. They need you
to be logged in as admin and click one link. That's it.
How this attack chain actually works
This is a chained WordPress plugin issue. Each layer changes what you need to check on the server, from admin session exposure to unexpected file deletion.
Layer 1: CSRF bypass (the front door)
The plugin's process_bulk_action() function is supposed to verify a WordPress
nonce before doing anything dangerous. But here's the catch - it only checks for the nonce
if the nonce field exists in the POST body. Omit the _wpnonce field
entirely and the check never runs. The door is wide open.
Operational impact: Any webpage on the internet can send a POST request to your WordPress admin on your behalf, as long as you're logged in. No nonce needed. No confirmation dialog. Your browser just does it.
Layer 2: SQL injection (the weapon)
The function takes a user-supplied ID and drops it straight into a SQL query:
WHERE ID = $ID - no parameterization, no prepared statement, no type casting.
That gives an attacker a way to influence the query result instead of only reading
the intended form-submission record.
Operational impact: The attacker controls what the database returns. They can make
WordPress think the query result contains whatever they want - including a carefully crafted
serialized PHP string in the post_content field.
Layer 3: PHP deserialization (the payload)
The query result's post_content field gets passed to unserialize().
If an attacker controls that field, PHP can deserialize data the plugin was never
supposed to trust. Array keys containing ys_cfdbh_file then get treated
as file paths.
Operational impact: The attacker now has a list of file paths that the plugin will blindly act on. And what does the plugin do with those paths?
Layer 4: Arbitrary file deletion (the kill shot)
Those file paths get appended to the uploads directory and passed directly to
wp_delete_file(). No path traversal validation. No whitelist. The attacker
uses ../../../ sequences to escape the uploads folder and target any file
on the server.
Operational impact: Deleting wp-config.php can take the site offline.
Delete .htaccess and the server might expose raw PHP files. Delete backup
scripts and you've just killed the recovery path. This is surgical, silent destruction.
Am I affected?
You're affected if:
- You run the "WP Contact Form 7 DB Handler" plugin (not Contact Form 7 itself - the DB addon)
- Your version is 3.0 or earlier
- You have any admin user who could click a link while logged in
Don't confuse this with Contact Form 7 itself. CF7 (the core plugin by Takayuki Miyoshi, 5 million+ installs) is not affected. The vulnerable plugin is the third-party DB Handler addon that saves form submissions to your database.
Check right now - 60 seconds
# SSH into your server, then:
wp plugin list --status=active | grep -i "cf7\|contact-form-7-db\|cfdbh"
# Or check the plugin folder directly:
ls -la wp-content/plugins/ | grep -i "cf7\|contact.*db\|cfdbh"
# If found, check the version:
grep "Version:" wp-content/plugins/wp-contact-form-7-db-handler/wp-contact-form-7-db-handler.php 2>/dev/null If that returns version 3.0 or lower, you're vulnerable right now.
Check for signs of exploitation
This attack deletes files, so the evidence is what's missing. Look for:
# Is wp-config.php still there?
ls -la wp-config.php
# Check if .htaccess has been tampered with or is missing:
ls -la .htaccess
cat .htaccess | head -20
# Look for recent file deletions in your access log:
grep -i "process_bulk_action\|bulk-action\|_wpnonce" wp-content/debug.log 2>/dev/null
grep "POST.*cf7\|POST.*cfdbh" /var/log/apache2/access.log /var/log/nginx/access.log 2>/dev/null
# Check for CSRF-style referrers from external domains:
grep -i "referer.*POST" /var/log/apache2/access.log 2>/dev/null | grep -i "bulk" | tail -20 What to do right now
๐ด Right now - 5 minutes
# Deactivate the plugin immediately:
wp plugin deactivate wp-contact-form-7-db-handler
# If WP-CLI isn't available:
# Rename the plugin folder to disable it:
mv wp-content/plugins/wp-contact-form-7-db-handler wp-content/plugins/wp-contact-form-7-db-handler.DISABLED Your form submissions will stop being saved to the database. That's fine - your forms still work through Contact Form 7's email delivery. You're just losing the DB logging temporarily.
๐ก Today - 30 minutes
# Check if a patched version exists:
wp plugin update wp-contact-form-7-db-handler
# Verify your wp-config.php is intact:
php -r "require('wp-config.php'); echo 'Config OK';" 2>/dev/null && echo "OK: wp-config.php is valid" || echo "PROBLEM"
# Back up everything NOW if you haven't:
tar czf ~/wp-backup-$(date +%Y%m%d).tar.gz /var/www/html/
mysqldump -u root -p your_database > ~/db-backup-$(date +%Y%m%d).sql ๐ข This week - harden against the whole class
- Audit every CF7 addon - DB handlers, redirectors, analytics plugins. Third-party CF7 addons are a recurring attack surface. Remove any you don't actively need.
- Add a WAF rule - Block POST requests to admin-ajax.php and admin-post.php that arrive with external referrers and no valid nonce. Most WAFs (Wordfence, Sucuri, Cloudflare) have rules for this.
- File integrity monitoring - Set up
wp-cli checksum verifyas a daily cron. If any core file gets deleted or modified, you'll know within 24 hours. - Limit admin sessions - Don't browse the web while logged into WordPress admin. Use a separate browser or profile. This kills the entire CSRF attack vector.
The bigger picture
This CVE is a textbook example of why the WordPress plugin ecosystem keeps me up at night. Contact Form 7 itself is solid - Takayuki Miyoshi has maintained it for over a decade with a strong security track record. But the addon ecosystem around it is the Wild West. Any developer can publish a plugin that hooks into CF7's data, and WordPress.org's review process doesn't catch logic bugs like missing nonce checks or raw SQL concatenation.
The pattern I keep seeing: a popular core plugin (CF7, WooCommerce, Elementor) does things right, but a third-party addon with 10,000 installs and one maintainer introduces a critical vulnerability. The addon rides the parent plugin's reputation. Users install it without thinking twice. And here we are.
Rule of thumb: for every major plugin you run, audit the addons around it. They're where the real risk hides.
Need help checking your site?
If any of those commands lit up red, or you're not comfortable running them yourself, Ping7 can check plugin versions, scan for IOCs, verify database integrity, and give you a concrete fix list.
- WordPress plugin audit: $49 - results in 24 hours
- Emergency cleanup: $299 if you've been actively compromised
References
- NVD: CVE-2026-6455
- Vulnerable code: form-inner-page-class.php L589
- CWE-352: Cross-Site Request Forgery
- CWE-89: SQL Injection
- CWE-502: Deserialization of Untrusted Data
- CWE-22: Path Traversal
- CVSS 8.1 -
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H