CVE-2026-25863
Uncontrolled Resource Consumption in Conditional Fields for Contact Form 7
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| contact_form_7 | contact_form_7 | to 2.6.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7. It is an uncontrolled resource consumption issue in the Wpcf7cfMailParser class, specifically in the hide_hidden_mail_fields_regex_callback() method. This method reads an iteration count directly from user-supplied POST parameters without validating or limiting the value.
Because of this, unauthenticated attackers can send an arbitrarily large integer through the REST API endpoint, causing the method to execute an unbounded loop with multiple preg_replace() operations. This leads to exhaustion of server memory and can crash the PHP process.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to cause a denial of service (DoS) on your server. By sending specially crafted requests with large iteration counts, attackers can exhaust your server's memory resources, leading to crashes of the PHP process and potentially making your website or application unavailable.