{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-25863/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25863"}],"_cs_exploited":false,"_cs_products":["Contact Form 7 WordPress plugin"],"_cs_severities":["medium"],"_cs_tags":["wordpress","resource-exhaustion","denial-of-service","cve-2026-25863"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Contact Form 7 WordPress plugin, specifically versions up to 2.6.7, contains an uncontrolled resource consumption vulnerability (CVE-2026-25863) within the \u003ccode\u003eWpcf7cfMailParser\u003c/code\u003e class. The \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method is susceptible to unbounded loop execution due to reading an iteration count directly from user-supplied POST parameters via the REST API endpoint without proper validation. This allows unauthenticated attackers to send a large integer value, triggering multiple \u003ccode\u003epreg_replace()\u003c/code\u003e operations, leading to server memory exhaustion and crashing the PHP process. This vulnerability enables a denial-of-service condition, potentially impacting all websites using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using Contact Form 7 plugin version 2.6.7 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a large integer value for the iteration count parameter, which is passed directly to the \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehide_hidden_mail_fields_regex_callback()\u003c/code\u003e method, lacking input validation, reads the attacker-controlled integer.\u003c/li\u003e\n\u003cli\u003eThe method initiates an unbounded loop, performing \u003ccode\u003epreg_replace()\u003c/code\u003e operations based on the attacker-supplied iteration count.\u003c/li\u003e\n\u003cli\u003eEach \u003ccode\u003epreg_replace()\u003c/code\u003e operation consumes server memory.\u003c/li\u003e\n\u003cli\u003eThe excessive number of iterations rapidly exhausts available server memory.\u003c/li\u003e\n\u003cli\u003eThe PHP process crashes due to memory exhaustion, resulting in a denial-of-service condition for the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. Attackers can crash the PHP process on vulnerable WordPress websites by exhausting server memory. This can result in website downtime, impacting user experience and potentially leading to data loss or corruption. While the exact number of affected websites is unknown, the widespread use of Contact Form 7 makes this vulnerability a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Contact Form 7 WordPress plugin to a version greater than 2.6.7 to patch CVE-2026-25863.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Contact Form 7 Uncontrolled Resource Consumption Attempt\u003c/code\u003e to your SIEM to detect malicious POST requests targeting the WordPress REST API.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for abnormally large POST request sizes to the WordPress REST API endpoint, as this may indicate an attempted exploitation of CVE-2026-25863.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T19:16:02Z","date_published":"2026-05-04T19:16:02Z","id":"/briefs/2026-05-contact-form-7-resource-exhaustion/","summary":"The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.","title":"Contact Form 7 WordPress Plugin Uncontrolled Resource Consumption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-contact-form-7-resource-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-25863","version":"https://jsonfeed.org/version/1.1"}