CVE-2026-25863
HIGHConditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption
Title source: cnaDescription
Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
References (2)
Core 2
Core References
Patch release-notes
patch
https://wordpress.org/plugins/cf7-conditional-fields/#developers
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1284
Status
published
Products (1)
Jules Colle/Conditional Fields for Contact Form 7
< 2.7.3
Published
May 04, 2026
Tracked Since
May 05, 2026