cleantalk
Vulnerabilities and Security Researches

Contact Form 7, CVE-2025-3247

CVE, Research URL

CVE-2025-3247

Home page URL

Security reports for Contact Form 7

Application

Contact Form 7

Published on
Apr 16, 2025
Research Description
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Affected versions
Min -, max 6.0.6.
Status
vulnerable
Previous vulnerability researches
OmniLeads Scripts and Tags Manager (CVE-2025-31460) , Apr 03, 2025
New vulnerability
Anthologize (CVE-2025-39437) , Apr 19, 2025
Piotnet Addons For Elementor (CVE-2024-13650) , Apr 19, 2025
Starfish Review Generation & Marketing for WordPress (CVE-2025-39533) , Apr 19, 2025
Add to Header (CVE-2025-39423) , Apr 19, 2025
Photo Contest | Competition | Video Contest (CVE-2025-23782) , Apr 19, 2025