Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

The plugin does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.

Note: 1.8.3 added capability and CSRF checks, path traversal fully fixed in 1.8.7

fetch("/wp-admin/admin-ajax.php?action=acf7_db_edit_scr_file_delete", {"method": "post", "headers": {'Content-Type': 'application/x-www-form-urlencoded'}, "body": "fid=1&rid=1&field=1&val=../../../license.txt"})