Listen to this Post
A CMS user with limited access to form pages can delete submissions from form pages they cannot normally access by crafting a request to delete submissions on a page they can access, then redirecting that action to target submissions on a restricted page. The vulnerability arises because the delete endpoint does not adequately verify that the user has permission to delete the specific submission object; it only checks access to the form page presented in the request. By manipulating the submission ID and page context, an attacker with low‑level admin privileges can bypass the intended permission boundary. The attack requires network access, low privileges, and no user interaction. The vulnerability is not exploitable by ordinary site visitors without Wagtail admin access. It is classified as CWE‑280 (Improper Handling of Insufficient Permissions or Privileges) with a CVSS score of 6.5 (Medium). Patches were released in Wagtail 7.0.7, 7.3.2, and the 7.4 LTS release. No workaround exists.
DailyCVE Form
Platform: Wagtail
Version: <7.0.7, 7.1-7.3.1
Vulnerability: Improper permission handling
Severity: Medium
Date: 2026-05-05
Prediction: 2026-05-05
Analytics – What Undercode Say
Check Wagtail version pip show wagtail | grep Version List installed Wagtail versions (if multiple) pip list | grep wagtail Upgrade to a patched version pip install --upgrade wagtail==7.0.7 or 7.3.2 / 7.4 Verify patch status (Python code) python -c "import wagtail; print(wagtail.VERSION)"
Exploit
Send a crafted POST request to `/admin/forms/submissions/delete/` with a `submission_id` belonging to a restricted form page while the `page_id` parameter points to an accessible form page. Example (conceptual):
`POST /admin/forms/submissions/delete/?page_id=accessible_page&submission_id=restricted_submission`
Protection from this CVE
Upgrade to Wagtail 7.0.7, 7.3.2, or `7.4` immediately. If upgrading is not possible, restrict admin access to only trusted users and audit form‑submission logs for unexpected deletions.
Impact
An authenticated CMS user with minimal privileges can delete arbitrary form submissions from any form page, leading to data loss and integrity violation (CVSS: Integrity High).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
