Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9.
Published: 2026-03-25
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion
Action: Patch immediately
AI Analysis

Impact

The CVE exposes an improper limitation on path names within the Spam Protect for Contact Form 7 plugin, allowing an attacker to manipulate file paths and delete arbitrary files on the server. This path traversal weakness is categorized as CWE‑22. A successful exploit would enable a malicious actor to remove critical files, potentially disrupting website functionality or compromising system integrity.

Affected Systems

Affected systems include any WordPress site that has the Spam Protect for Contact Form 7 plugin installed with a version up to and including 1.2.9. The plugin is maintained by NYSL and is a common addition for spam protection on Contact Form 7 forms. No other WordPress plugins or core WordPress versions are explicitly impacted by this CVE.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate severity. The likelihood of exploitation is low, with an EPSS score below 1 % and no listing in the CISA KEV catalog. The vulnerability is exploitable via a path traversal payload, likely requiring authenticated or unauthenticated access to the plugin’s file handling functionality. Attackers would need to supply a crafted input that bypasses directory restrictions to delete arbitrary files.

Generated by OpenCVE AI on March 26, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spam Protect for Contact Form 7 plugin to a version newer than 1.2.9, preferably 1.3.0 or later.
  • If the plugin is no longer needed, disable or remove it entirely from the WordPress installation.
  • Configure file system permissions to restrict deletion capabilities for the web server user.
  • Monitor server logs for suspicious file deletion attempts and investigate any anomalies.

Generated by OpenCVE AI on March 26, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nysl
Nysl spam Protect For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Nysl
Nysl spam Protect For Contact Form 7
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9.
Title WordPress Spam Protect for Contact Form 7 plugin <= 1.2.9 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Nysl Spam Protect For Contact Form 7
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:28:30.059Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32496

cve-icon Vulnrichment

Updated: 2026-03-26T19:27:49.026Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:01.383

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:05Z

Weaknesses