A critical arbitrary file deletion vulnerability exists in the Database for Contact Form 7, WPforms, Elementor forms plugin, posing a significant risk of service disruption or site compromise.

The plugin fails to adequately sanitize file paths within the view_page function, allowing an authenticated attacker to delete arbitrary files on the server. The required authentication level implies that an attacker must possess valid credentials to trigger the vulnerable function.

Successful exploitation of this vulnerability can lead to the deletion of critical system or application files, resulting in severe service downtime and potential loss of data integrity. With a CVSS score of 8.1, this high-severity flaw represents a substantial risk to business continuity and operational security, particularly if the deleted files are essential for site functionality.

Immediate Action: Update the plugin to the latest version provided by the vendor to patch the path validation flaw.

Proactive Monitoring: Audit web server logs for suspicious requests directed at the view_page function or unusual file deletion patterns.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block directory traversal attempts and suspicious parameter inputs.

Public Exploit Available: false

Given the severity of the vulnerability, administrators must prioritize updating the affected plugin immediately. If an update is not currently available, consider disabling the plugin entirely to mitigate the risk of unauthorized file deletion until a vendor-supplied patch is implemented.