cleantalk
Vulnerabilities and Security Researches

Conditional Fields for Contact Form 7, CVE-2026-25863

CVE, Research URL

CVE-2026-25863

Home page URL

Security reports for Conditional Fields for Contact Form 7

Application

Conditional Fields for Contact Form 7

Published on
May 05, 2026
Research Description
Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
Affected versions
max 2.6.7.
Status
vulnerable
Previous vulnerability researches
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2026-42659) , May 06, 2026
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2024-43340) , Aug 20, 2024
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2022-4974) , May 06, 2025
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2024-2387) , Jun 07, 2024
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (d6851c635532764da1ccfbf213f9eb9da674c698) , Jun 07, 2024
New vulnerability
Royal Elementor Addons and Templates (CVE-2026-4803) , May 06, 2026
Royal Elementor Addons and Templates (CVE-2026-5159) , May 06, 2026
NEX-Forms – Ultimate Form Builder – Contact forms and much more (CVE-2026-5063) , May 06, 2026
Loco Translate (CVE-2026-1921) , May 06, 2026
Conditional Fields for Contact Form 7 (CVE-2026-25863) , May 06, 2026