CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-1284
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7

The National Vulnerability Database reports CVE-2026-25863, an uncontrolled resource consumption vulnerability in the Conditional Fields for Contact Form 7 WordPress plugin, affecting versions up to 2.6.7. This isn’t just a bug; it’s a direct path to server meltdown for unpatched systems. The flaw resides in the Wpcf7cfMailParser class, specifically the hide_hidden_mail_fields_regex_callback() method.

Attackers can exploit this via the REST API endpoint, supplying an arbitrarily large integer in POST parameters. Without validation or an upper bound, the method enters an unbounded loop with multiple preg_replace() operations. This rapidly exhausts server memory, crashing the PHP process and effectively taking the site offline. This is a denial-of-service attack that requires no authentication, making it particularly dangerous.

With a CVSS score of 7.5 (HIGH), this vulnerability is a critical concern for any organization running WordPress with this specific plugin. The attacker’s calculus here is simple: maximum disruption with minimal effort, leveraging a common plugin’s blind trust in user input.

What This Means For You

  • If your organization uses the Conditional Fields for Contact Form 7 WordPress plugin, identify all instances running versions 2.6.7 or earlier. Patch immediately to the latest secure version. Failure to do so leaves your web infrastructure vulnerable to unauthenticated denial-of-service attacks that can crash your PHP processes and render your sites inaccessible.

Indicators of Compromise

IDTypeIndicator
CVE-2026-25863 DoS WordPress plugin: Conditional Fields for Contact Form 7
CVE-2026-25863 DoS Affected version: through 2.6.7
CVE-2026-25863 DoS Vulnerable class: Wpcf7cfMailParser
CVE-2026-25863 DoS Vulnerable method: hide_hidden_mail_fields_regex_callback()
CVE-2026-25863 DoS Attack vector: Unauthenticated POST parameters via REST API endpoint

Written by SCW Vulnerability Desk

🔎
Check for WordPress Plugin Vulnerabilities Use /brief to get an analyst-ready weekly summary of critical vulnerabilities like CVE-2026-25863.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 04, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7768: Fastify Accepts-Serializer DoS Vulnerability

CVE-2026-7768 — @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send...

vulnerabilityCVEhigh-severitycwe-770
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6321: fast-uri Path Normalization Bypass

CVE-2026-6321 — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated...

vulnerabilityCVEhigh-severitycwe-22
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma
Featured

Daily Security Digest — 2026-05-04

31 vulnerability disclosures (20 Critical, 11 High) and 12 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycommand-injectioncwe-94criticalout-of-bounds-1cwe-125privilege-escalation
/SCW Daily Digest /CRITICAL