CVE-2021-24905
📋 TL;DR
This vulnerability in the Advanced Contact form 7 DB WordPress plugin allows any authenticated user to delete arbitrary files on the web server due to missing authorization and file validation. Attackers can delete critical files like wp-config.php to trigger WordPress reinstallation and gain administrator privileges. All WordPress sites running vulnerable versions of this plugin are affected.
💻 Affected Systems
- Advanced Contact form 7 DB WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise: attackers delete wp-config.php, trigger WordPress setup, gain admin access, execute arbitrary code, and take full control of the server.
Likely Case
Site defacement, data loss, or privilege escalation through deletion of critical configuration files leading to administrative access.
If Mitigated
Limited impact if proper file permissions and web application firewalls block unauthorized file deletion attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is simple via crafted AJAX requests. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.7
Vendor Advisory: https://wpscan.com/vulnerability/cf022415-6614-4b95-913b-802186766ae6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Advanced Contact form 7 DB'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Advanced Contact form 7 DB plugin until patched
wp plugin deactivate advanced-cf7-db
Restrict file permissions
linuxSet strict permissions on critical files like wp-config.php to prevent deletion
chmod 400 wp-config.php
🧯 If You Can't Patch
- Remove the plugin completely if not essential
- Implement web application firewall rules to block acf7_db_edit_scr_file_delete AJAX requests
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.8.7, you are vulnerable.Check Version:
wp plugin get advanced-cf7-db --field=versionVerify Fix Applied:
Confirm plugin version is 1.8.7 or higher after update. Test that authenticated non-admin users cannot delete files via AJAX requests.📡 Detection & Monitoring
Log Indicators:
- AJAX requests to acf7_db_edit_scr_file_delete endpoint from non-admin users
- File deletion events in web server logs for critical files like wp-config.php
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=acf7_db_edit_scr_file_delete parameter
SIEM Query:
source="web_server.log" AND (uri="/wp-admin/admin-ajax.php" AND post_data="action=acf7_db_edit_scr_file_delete")