Unrated

Unauthenticated Arbitrary File Deletion in Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1

IdentifiersCVE-2026-9843CWE-22

CVE-2026-9843 affects the WordPress plugin Database for Contact Form 7, WPforms, Elementor forms in all versions up to and including 1.5.1. The vulnerability is caused by insufficient file path validation in the plugin’s view_page function. An unauthenticated attacker can submit a poisoned form entry containing an attacker-crafted JSON key. When an administrator later views or edits that entry, PHP’s bracket parser reshapes the key in a way that bypasses the plugin’s stored-path isset check, causing the application to delete a traversal-specified file on the server. This results in arbitrary file deletion and can create conditions for remote code execution if critical application files are removed.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated deletion of arbitrary files accessible to the web application on the server. This can cause application disruption, loss of integrity, and denial of service. If high-value files such as wp-config.php are deleted, the resulting state can facilitate remote code execution or full site compromise, in addition to exposing or destroying sensitive application configuration and data.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or temporarily disable the vulnerable plugin where feasible. Reduce administrator exposure to untrusted form submissions by avoiding viewing or editing suspicious entries until remediation is in place. Monitor for anomalous form submissions and unexpected file deletions, and harden filesystem permissions so the web server user has the minimum necessary write/delete access. Additional defensive monitoring around deletion of sensitive WordPress files such as wp-config.php is advisable.

Remediation

Patch, then assume compromise.

Update the Database for Contact Form 7, WPforms, Elementor forms plugin to a vendor-fixed release once available. The provided content states that all versions up to and including 1.5.1 are affected and does not identify a fixed version. In addition, review server file permissions to ensure the web server account cannot delete unnecessary files, inspect the WordPress instance for suspicious form entries or unauthorized file changes, and remove any suspicious files introduced during attempted exploitation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cvefeed high severityNews

Jun 20, 2026

CVE-2026-9843 - Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value

An unauthenticated arbitrary file deletion vulnerability in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin affecting versions up to and including 1.5.1. It is caused by insufficient file path validation in the view_page function and can lead to remote code execution if critical files are deleted.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-9843

NVD

nvd.nist.gov/vuln/detail/CVE-2026-9843

MITRE CWE · CWE-22

cwe.mitre.org