Security Advisory ยท Published 2026-05-28

CVE-2026-6455: One Click Deletes Your wp-config.php - And You Won't See It Coming

I just finished tracing this attack chain and I need you to hear this clearly: if you're running the WP Contact Form 7 DB Handler plugin (version 3.0 or below), an attacker can trick you into clicking a single link - and that click deletes wp-config.php off your server. Your site goes down. Your database credentials are gone. Your recovery window is however fast you can restore from backup. And the kicker? The attacker doesn't need an account on your site. They need you to be logged in as admin and click one link. That's it.

How this attack chain actually works

This is a chained WordPress plugin issue. Each layer changes what you need to check on the server, from admin session exposure to unexpected file deletion.

Layer 1: CSRF bypass (the front door)

The plugin's process_bulk_action() function is supposed to verify a WordPress nonce before doing anything dangerous. But here's the catch - it only checks for the nonce if the nonce field exists in the POST body. Omit the _wpnonce field entirely and the check never runs. The door is wide open.

Operational impact: Any webpage on the internet can send a POST request to your WordPress admin on your behalf, as long as you're logged in. No nonce needed. No confirmation dialog. Your browser just does it.

Layer 2: SQL injection (the weapon)

The function takes a user-supplied ID and drops it straight into a SQL query: WHERE ID = $ID - no parameterization, no prepared statement, no type casting. That gives an attacker a way to influence the query result instead of only reading the intended form-submission record.

Operational impact: The attacker controls what the database returns. They can make WordPress think the query result contains whatever they want - including a carefully crafted serialized PHP string in the post_content field.

Layer 3: PHP deserialization (the payload)

The query result's post_content field gets passed to unserialize(). If an attacker controls that field, PHP can deserialize data the plugin was never supposed to trust. Array keys containing ys_cfdbh_file then get treated as file paths.

Operational impact: The attacker now has a list of file paths that the plugin will blindly act on. And what does the plugin do with those paths?

Layer 4: Arbitrary file deletion (the kill shot)

Those file paths get appended to the uploads directory and passed directly to wp_delete_file(). No path traversal validation. No whitelist. The attacker uses ../../../ sequences to escape the uploads folder and target any file on the server.

Operational impact: Deleting wp-config.php can take the site offline. Delete .htaccess and the server might expose raw PHP files. Delete backup scripts and you've just killed the recovery path. This is surgical, silent destruction.

Am I affected?

You're affected if:

  • You run the "WP Contact Form 7 DB Handler" plugin (not Contact Form 7 itself - the DB addon)
  • Your version is 3.0 or earlier
  • You have any admin user who could click a link while logged in

Don't confuse this with Contact Form 7 itself. CF7 (the core plugin by Takayuki Miyoshi, 5 million+ installs) is not affected. The vulnerable plugin is the third-party DB Handler addon that saves form submissions to your database.

Check right now - 60 seconds

# SSH into your server, then:
wp plugin list --status=active | grep -i "cf7\|contact-form-7-db\|cfdbh"

# Or check the plugin folder directly:
ls -la wp-content/plugins/ | grep -i "cf7\|contact.*db\|cfdbh"

# If found, check the version:
grep "Version:" wp-content/plugins/wp-contact-form-7-db-handler/wp-contact-form-7-db-handler.php 2>/dev/null

If that returns version 3.0 or lower, you're vulnerable right now.

Check for signs of exploitation

This attack deletes files, so the evidence is what's missing. Look for:

# Is wp-config.php still there?
ls -la wp-config.php

# Check if .htaccess has been tampered with or is missing:
ls -la .htaccess
cat .htaccess | head -20

# Look for recent file deletions in your access log:
grep -i "process_bulk_action\|bulk-action\|_wpnonce" wp-content/debug.log 2>/dev/null
grep "POST.*cf7\|POST.*cfdbh" /var/log/apache2/access.log /var/log/nginx/access.log 2>/dev/null

# Check for CSRF-style referrers from external domains:
grep -i "referer.*POST" /var/log/apache2/access.log 2>/dev/null | grep -i "bulk" | tail -20

What to do right now

๐Ÿ”ด Right now - 5 minutes

# Deactivate the plugin immediately:
wp plugin deactivate wp-contact-form-7-db-handler

# If WP-CLI isn't available:
# Rename the plugin folder to disable it:
mv wp-content/plugins/wp-contact-form-7-db-handler wp-content/plugins/wp-contact-form-7-db-handler.DISABLED

Your form submissions will stop being saved to the database. That's fine - your forms still work through Contact Form 7's email delivery. You're just losing the DB logging temporarily.

๐ŸŸก Today - 30 minutes

# Check if a patched version exists:
wp plugin update wp-contact-form-7-db-handler

# Verify your wp-config.php is intact:
php -r "require('wp-config.php'); echo 'Config OK';" 2>/dev/null && echo "OK: wp-config.php is valid" || echo "PROBLEM"

# Back up everything NOW if you haven't:
tar czf ~/wp-backup-$(date +%Y%m%d).tar.gz /var/www/html/
mysqldump -u root -p your_database > ~/db-backup-$(date +%Y%m%d).sql

๐ŸŸข This week - harden against the whole class

  • Audit every CF7 addon - DB handlers, redirectors, analytics plugins. Third-party CF7 addons are a recurring attack surface. Remove any you don't actively need.
  • Add a WAF rule - Block POST requests to admin-ajax.php and admin-post.php that arrive with external referrers and no valid nonce. Most WAFs (Wordfence, Sucuri, Cloudflare) have rules for this.
  • File integrity monitoring - Set up wp-cli checksum verify as a daily cron. If any core file gets deleted or modified, you'll know within 24 hours.
  • Limit admin sessions - Don't browse the web while logged into WordPress admin. Use a separate browser or profile. This kills the entire CSRF attack vector.

The bigger picture

This CVE is a textbook example of why the WordPress plugin ecosystem keeps me up at night. Contact Form 7 itself is solid - Takayuki Miyoshi has maintained it for over a decade with a strong security track record. But the addon ecosystem around it is the Wild West. Any developer can publish a plugin that hooks into CF7's data, and WordPress.org's review process doesn't catch logic bugs like missing nonce checks or raw SQL concatenation.

The pattern I keep seeing: a popular core plugin (CF7, WooCommerce, Elementor) does things right, but a third-party addon with 10,000 installs and one maintainer introduces a critical vulnerability. The addon rides the parent plugin's reputation. Users install it without thinking twice. And here we are.

Rule of thumb: for every major plugin you run, audit the addons around it. They're where the real risk hides.

Need help checking your site?

If any of those commands lit up red, or you're not comfortable running them yourself, Ping7 can check plugin versions, scan for IOCs, verify database integrity, and give you a concrete fix list.

  • WordPress plugin audit: $49 - results in 24 hours
  • Emergency cleanup: $299 if you've been actively compromised

Request CVE repair

References