cleantalk
Vulnerabilities and Security Researches

Advanced Contact form 7 DB, CVE-2021-24905

CVE, Research URL

CVE-2021-24905

Home page URL

Security reports for Advanced Contact form 7 DB

Application

Advanced Contact form 7 DB

Published on
Mar 22, 2022
Research Description
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
Affected versions
Min -, max 1.8.7.
Status
vulnerable
Previous vulnerability researches
Advanced Contact form 7 DB (CVE-2014-2054) , May 06, 2025
Advanced Contact form 7 DB (CVE-2024-3723) , Jun 14, 2024
Advanced Contact form 7 DB (CVE-2024-4319) , Jun 14, 2024
Advanced Contact form 7 DB (CVE-2022-29408) , Jun 06, 2024
Advanced Contact form 7 DB (CVE-2019-13571) , Jun 06, 2024
New vulnerability
TablePress – Tables in WordPress made easy (CVE-2024-45293) , May 07, 2025
Newsletter – Send awesome emails from WordPress (CVE-2025-3583) , May 07, 2025
Insert PHP Code Snippet (CVE-2024-43275) , May 07, 2025
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor (CVE-2024-38785) , May 07, 2025
Section Widget (CVE-2025-46537) , May 07, 2025