CVE-2026-25863
Deferred Deferred - Pending Action
Uncontrolled Resource Consumption in Conditional Fields for Contact Form 7

Publication date: 2026-05-04

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25863
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
contact_form_7 contact_form_7 to 2.6.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7. It is an uncontrolled resource consumption issue in the Wpcf7cfMailParser class, specifically in the hide_hidden_mail_fields_regex_callback() method. This method reads an iteration count directly from user-supplied POST parameters without validating or limiting the value.

Because of this, unauthenticated attackers can send an arbitrarily large integer through the REST API endpoint, causing the method to execute an unbounded loop with multiple preg_replace() operations. This leads to exhaustion of server memory and can crash the PHP process.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to cause a denial of service (DoS) on your server. By sending specially crafted requests with large iteration counts, attackers can exhaust your server's memory resources, leading to crashes of the PHP process and potentially making your website or application unavailable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart