CVE-2026-25863

HIGH 7.5

Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

CWE	CWE-1284
Vendor	jules colle
Product	conditional fields for contact form 7
Published	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for jules colle conditional fields for contact form 7

Be the first to know when new high vulnerabilities affecting jules colle conditional fields for contact form 7 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Jules Colle / Conditional Fields for Contact Form 7

0 < 2.7.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordpress.org: https://wordpress.org/plugins/cf7-conditional-fields/#developers vulncheck.com: https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption

Credits

Rahul Karne VulnCheck