The Contact Form Extender for Divi plugin contains an unauthenticated file deletion vulnerability that allows attackers to remove critical server files.

This is an unauthenticated vulnerability, meaning no login is required to trigger the file deletion process. The flaw resides in the file handling functions of the plugin, permitting remote attackers to delete arbitrary files on the system.

The CVSS score of 8.6 reflects the high severity of this flaw, as it allows for catastrophic system disruption. An attacker could delete critical system files, leading to a complete denial of service (DoS) or the destruction of essential application data, resulting in significant operational downtime.

Immediate Action: Update the Contact Form Extender for Divi plugin to the latest version immediately.

Proactive Monitoring: Monitor server file system activity logs for unauthorized deletion events or suspicious file modifications.

Compensating Controls: Use a WAF to block unauthorized requests that target the specific file upload or deletion functions of the plugin.

Public Exploit Available: false

This is a critical vulnerability due to the lack of required authentication. Organizations must prioritize updating this plugin immediately to prevent potential malicious actors from causing irreversible damage to the host server's file system.