Description
Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
Published: 2026-05-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A loop in the Wpcf7cfMailParser class of the Conditional Fields for Contact Form 7 plugin reads an iteration count directly from unauthenticated POST parameters supplied to the REST API endpoint without validation or an upper bound. This allows an attacker to provide an arbitrarily large integer, causing an infinite loop with many preg_replace() calls that consume server memory and ultimately crash the PHP process, resulting in a denial of service.

Affected Systems

The vulnerability affects WordPress sites running Jules Colle’s Conditional Fields for Contact Form 7 plugin through version 2.6.7. All installations older than 2.7.3 are susceptible.

Risk and Exploitability

The flaw requires no authentication and is triggered by a publicly reachable REST API endpoint. The published CVSS score of 8.7 indicates high severity, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue by submitting a large integer value in a POST request, making the vulnerability easy to deploy and potentially causing widespread service disruption.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.7.3 or later, which removes the uncontrolled loop and applies proper bounds checks.
  • Restrict or disable the Conditional Fields REST API endpoint on the production server if the advanced form features are not required, thereby eliminating the attack surface.
  • Implement application‑layer rate limiting or input validation to cap the size of integer parameters before reaching the plugin code, reducing the risk of resource exhaustion during any future regressions.

Generated by OpenCVE AI on May 4, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
Title Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-04T18:29:01.446Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25863

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:02.953

Modified: 2026-05-04T19:16:02.953

Link: CVE-2026-25863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:00:09Z

Weaknesses