Description
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible.
Published: 2026-06-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CF7 to Webhook plugin for WordPress contains an SSRF flaw triggered by the pull_the_trigger method. By embedding a Contact Form 7 field placeholder in the host portion of an admin‑configured webhook URL, an unauthenticated attacker can cause the application to send HTTP requests to arbitrary destinations. This allows the attacker to read sensitive data or manipulate internal services, potentially leading to data disclosure, integrity violations, or further compromise.

Affected Systems

The vulnerability affects the Maria Valney CF7 to Webhook WordPress plugin in all releases up to and including version 5.0.0. Any WordPress site that has this plugin installed and exposes a Contact Form 7 form publicly may be impacted.

Risk and Exploitability

The CVSS base score of 7.2 indicates high severity, while the EPSS score of < 1% implies a very low probability of exploitation at this time. The flaw is not listed in CISA’s KEV catalog. Exploitation requires a publicly accessible form and the presence of a placeholder in the webhook URL host; unauthenticated attackers can trigger it directly via the pull_the_trigger endpoint.

Generated by OpenCVE AI on June 18, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CF7 to Webhook plugin to a version newer than 5.0.0, which removes the SSRF vulnerability.
  • If an upgrade is not immediately feasible, eliminate placeholder usage in the host segment of any webhook URLs or disable the pull_the_trigger functionality altogether.
  • Restrict access to the affected Contact Form 7 forms so that only authenticated users can trigger the plugin, reducing the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mariovalney
Mariovalney cf7 To Webhook
Wordpress
Wordpress wordpress
Vendors & Products Mariovalney
Mariovalney cf7 To Webhook
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible.
Title CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Mariovalney Cf7 To Webhook
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T15:52:32.717Z

Reserved: 2026-06-05T16:22:22.915Z

Link: CVE-2026-11395

cve-icon Vulnrichment

Updated: 2026-06-18T15:52:29.398Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:27Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)