Uncontrolled Resource Consumption in Contact Form 7 Plugin by WordPress
CVE-2026-25863

8.7HIGH

Key Information:

Vendor: WordPress
Status: Conditional Fields For Contact Form 7
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-25863?

The Conditional Fields for Contact Form 7 plugin, through version 2.6.7, has a vulnerability in the Wpcf7cfMailParser class. This issue arises from the hide_hidden_mail_fields_regex_callback() method, which accepts an iteration count directly from unsanitized user input via POST parameters. This lack of validation allows unauthenticated attackers to provide excessively large integers through the REST API endpoint, leading to unbounded loop execution. This can result in multiple preg_replace() operations that progressively exhaust server memory, ultimately crashing the PHP process and causing significant disruption to the affected WordPress sites.

Affected Version(s)

Conditional Fields for Contact Form 7 0

References

https://wordpress.org/plugins/cf7-conditional-fields/#dev...

release-notespatch

https://www.vulncheck.com/advisories/conditional-fields-f...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Feb 6, 2026

Credit

Rahul Karne

VulnCheck

CVE-2026-25863 Data

JSON