CVE-2026-1540

HIGH 7.2

Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution

CVSS Score

7.2

EPSS Score

0.0%

EPSS Percentile

7th

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

Vendor	unknown
Product	spam protect for contact form 7
Published	Apr 2, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown spam protect for contact form 7

Be the first to know when new high vulnerabilities affecting unknown spam protect for contact form 7 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Spam Protect for Contact Form 7

0 < 1.2.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/

Credits

Chiao-Lin Yu (Steven Meow) WPScan