← back
CVE-2026-1540

Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution

CVSS 7.2 HIGHEPSS 0.6%CWE-94
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Spam Protect for Contact Form 7
public PoCs found1
cve_referencewpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/