vulnerability

WordPress Plugin: advanced-cf7-db: CVE-2021-24905: Incorrect Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:S/C:P/I:P/A:P)	Feb 22, 2022	May 15, 2025	Jun 24, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:P/A:P)

Published

Feb 22, 2022

Added

May 15, 2025

Modified

Jun 24, 2025

Description

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.

Solution

advanced-cf7-db-plugin-cve-2021-24905

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24905
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/4891fd3f-563b-497a-a5d9-617f4862298b?source=api-prod
CVE-2021-24905
https://attackerkb.com/topics/CVE-2021-24905
CWE-863
CWE-352

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today