Description
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
Published: 2026-04-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the ability of the Spam Protect for Contact Form 7 plugin to log request data to a PHP file. When a user with editor privileges sends a specially crafted HTTP header, the log entry is interpreted as executable PHP code, allowing the attacker to run arbitrary commands on the server. This flaw maps to the CWE‑94 code injection weakness and results in a full remote code execution scenario, jeopardizing confidentiality, integrity, and availability of the affected site.

Affected Systems

WordPress sites that use the Spam Protect for Contact Form 7 plugin, specifically any installation with a version earlier than 1.2.10. The plugin is not linked to any major vendor, but any WordPress installation deploying it will be vulnerable if that version is in use.

Risk and Exploitability

The CVSS score of 7.2 indicates a high impact once bypassed, and with an EPSS of less than 1% the likelihood of public exploitation is currently low. The attack requires the attacker to possess at least editor-level access to the WordPress dashboard or to be able to send crafted POST requests against the plugin endpoint. Because of this requirement, the vulnerability mainly affects sites with many editor users or poorly managed role permissions. No entry in the CISA KEV list means no confirmed large‑scale exploitation so far, but the severity warrants prompt patching.

Generated by OpenCVE AI on April 2, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spam Protect for Contact Form 7 to version 1.2.10 or later
  • If upgrading is not possible immediately, disable the plugin’s logging feature or remove the plugin entirely
  • Review and restrict editor and administrator roles to limit potential attackers’ permissions
  • Backup site files and database before applying any changes

Generated by OpenCVE AI on April 2, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Spam Protect For Contact Form 7
Spam Protect For Contact Form 7 spam Protect For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Spam Protect For Contact Form 7
Spam Protect For Contact Form 7 spam Protect For Contact Form 7
Wordpress
Wordpress wordpress

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
Title Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution
References

Subscriptions

Spam Protect For Contact Form 7 Spam Protect For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T13:13:54.388Z

Reserved: 2026-01-28T14:37:11.670Z

Link: CVE-2026-1540

cve-icon Vulnrichment

Updated: 2026-04-02T13:13:37.288Z

cve-icon NVD

Status : Received

Published: 2026-04-02T06:16:22.337

Modified: 2026-04-02T14:16:25.690

Link: CVE-2026-1540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:18Z

Weaknesses