Impact
The CF7 to Webhook plugin for WordPress contains an SSRF flaw triggered by the pull_the_trigger method. By embedding a Contact Form 7 field placeholder in the host portion of an admin‑configured webhook URL, an unauthenticated attacker can cause the application to send HTTP requests to arbitrary destinations. This allows the attacker to read sensitive data or manipulate internal services, potentially leading to data disclosure, integrity violations, or further compromise.
Affected Systems
The vulnerability affects the Maria Valney CF7 to Webhook WordPress plugin in all releases up to and including version 5.0.0. Any WordPress site that has this plugin installed and exposes a Contact Form 7 form publicly may be impacted.
Risk and Exploitability
The CVSS base score of 7.2 indicates high severity, while the EPSS score of < 1% implies a very low probability of exploitation at this time. The flaw is not listed in CISA’s KEV catalog. Exploitation requires a publicly accessible form and the presence of a placeholder in the webhook URL host; unauthenticated attackers can trigger it directly via the pull_the_trigger endpoint.
OpenCVE Enrichment