Description
Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
Published: 2026-05-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A loop in the Wpcf7cfMailParser class of the Conditional Fields for Contact Form 7 plugin reads an iteration count directly from unauthenticated POST parameters supplied to the REST API endpoint without validation or an upper bound, specifically in the hide_hidden_mail_fields_regex_callback() method. This allows an attacker to provide an arbitrarily large integer, causing an infinite loop with many preg_replace() calls that consume server memory and ultimately crash the PHP process, resulting in a denial of service.

Affected Systems

The vulnerability affects WordPress sites running Jules Colle’s Conditional Fields for Contact Form 7 plugin through version 2.7.2. All installations older than 2.7.3 are susceptible.

Risk and Exploitability

The flaw requires no authentication and is triggered by a publicly reachable REST API endpoint. The published CVSS score of 8.7 indicates high severity, the EPSS score is < 1 %, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue by submitting a large integer value in a POST request, making the vulnerability easy to deploy and potentially causing widespread service disruption.

Generated by OpenCVE AI on May 26, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.7.3 or later, which removes the uncontrolled loop and applies proper bounds checks.
  • Restrict or disable the Conditional Fields REST API endpoint on the production server if the advanced form features are not required, thereby eliminating the attack surface.
  • Implement application-layer rate limiting or input validation to cap the size of integer parameters before reaching the plugin code, reducing the risk of resource exhaustion during any future regressions.

Generated by OpenCVE AI on May 26, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process. Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jules Colle
Jules Colle conditional Fields For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Jules Colle
Jules Colle conditional Fields For Contact Form 7
Wordpress
Wordpress wordpress

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
Title Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jules Colle Conditional Fields For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:44.252Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25863

cve-icon Vulnrichment

Updated: 2026-05-05T14:55:17.657Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T19:16:02.953

Modified: 2026-05-05T19:47:57.367

Link: CVE-2026-25863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T01:30:15Z

Weaknesses