CVE-2026-25863

216.73.217.22

· Published 04/05/2026 19:16 · Modified 04/05/2026 19:16

Labels: CVE-2026-25863 2026-05-04 CVE-2026-25863 CWE-1284 [email protected]

Essential information

Published: 04/05/2026 19:16
Modified: 04/05/2026 19:16
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
wordpress / contact form 7	`cpe:2.3:a:wordpress:contact_form_7::::::::`