Server-Side Request Forgery Vulnerability in CF7 to Webhook Plugin for WordPress
CVE-2026-11395

7.2HIGH

Key Information:

Vendor: WordPress
Status: Cf7 To Webhook
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-11395?

The CF7 to Webhook plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF), allowing unauthenticated attackers to exploit the vulnerability in all versions up to 5.0.0. This occurs via the pull_the_trigger function when the webhook URL, configured by the admin, contains a Contact Form 7 field placeholder in the host segment. If the affected form is publicly accessible, attackers can issue web requests to arbitrary locations, potentially enabling them to query and alter sensitive information from internal services.

Affected Version(s)

CF7 to Webhook 0 <= 5.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cf7-to-zapier/...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Chris Peterson

CVE-2026-11395 Data

JSON