Security Alert Summary
The Abandoned Contact Form 7 plugin for WordPress contains a vulnerability that allows unauthenticated attackers to permanently delete arbitrary posts, pages, or other content by invoking a single admin-ajax action. The issue stems from missing capability and nonce checks in the plugin’s AJAX handler which passes a user-supplied ID directly to WordPress’ post-deletion function.
CVE Details
- CVE ID: CVE-2026-9187
- Affected component: Abandoned Contact Form 7 plugin for WordPress
- Affected versions: Versions up to and including 2.2
- Published: June 16, 2026 at 6:16:58 AM UTC
- Last modified: June 16, 2026 at 3:22:49 PM UTC
- CVSS v3.1: Base Score 5.3, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Authentication / privileges / user interaction: No authentication required (PR:N); no user interaction required (UI:N).
- Primary impact: Confidentiality: None; Integrity: Low (unauthorized modification/deletion of content); Availability: None
- Weakness (CWE): CWE-862
Technical Details
The plugin registers an AJAX handler named action__remove_abandoned() on both wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler accepts a recover_id value from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true. The function lacks a capability check and does not validate a nonce, and it does not verify that the provided post ID belongs to the plugin’s own cf7af_data post type.
Because the handler is available to unauthenticated requests and uses the supplied ID without ownership or type validation, an attacker can supply the ID of any post or page and cause WordPress to permanently delete that content via a single admin-ajax request.
How This Could Impact Your Website
In a typical site with multiple WordPress users, an unauthenticated attacker could target content owned by the site owner, internal staff, or external contributors. Practical consequences include the permanent loss of posts or pages, removal of documentation or marketing content, and business disruption while you restore content from backups.
Even though the CVSS vector indicates no direct confidentiality impact, deletion or modification of content can indirectly make recovery and incident response more difficult and may increase the risk of follow-on attacks such as targeted phishing or social engineering if critical pages are removed or altered.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and admin-ajax access logs for unusual or unexpected requests.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L49
- https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L65
- https://plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.php#L68
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a38ebdeb-6ab8-4f1d-9c13-39211a9e97b6?source=cve
