CVE-2021-24905: 
WordPress vulnerability analysis and mitigation

The Advanced Contact form 7 DB WordPress plugin before version 1.8.7 contained a critical security vulnerability identified as CVE-2021-24905. This vulnerability was related to missing authorization and CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, combined with inadequate file validation for deletion operations (WPScan).

The vulnerability has a CVSS v3.1 Base Score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The issue stems from two main weaknesses: Cross-Site Request Forgery (CSRF) (CWE-352) and Incorrect Authorization (CWE-863). The vulnerability affects all versions of the plugin up to (but not including) version 1.8.7, with version 1.8.3 adding some capability and CSRF checks, though path traversal was not fully fixed until 1.8.7 (NVD).

The vulnerability allows any authenticated user to delete arbitrary files on the web server. A particularly severe exploitation scenario involves deleting the wp-config.php file, which would enable attackers to trigger WordPress setup again, potentially gaining administrator privileges and subsequently executing arbitrary code or displaying arbitrary content to users (WPScan).

The recommended mitigation is to update the Advanced Contact form 7 DB plugin to version 1.8.7 or later, which fully addresses the vulnerability including the path traversal issue. While version 1.8.3 added some security improvements with capability and CSRF checks, it did not completely resolve all security concerns (WPScan).