Platform
wordpress
Component
wp-contact-form-7-spam-blocker
Fixed in
1.2.10
1.2.10
CVE-2026-1540 is a Remote Code Execution (RCE) vulnerability affecting the Spam Protect for Contact Form 7 WordPress plugin. This flaw allows an attacker with editor-level privileges to execute arbitrary code on the server by exploiting the plugin's logging mechanism with a crafted header. The vulnerability affects versions 0 up to and including 1.2.10 of the plugin. Version 1.2.10 contains the necessary fix.
A Remote Code Execution (RCE) vulnerability has been discovered in the Spam Protect for Contact Form 7 plugin for WordPress. This vulnerability affects all versions prior to 1.2.10. It allows authenticated attackers, with Editor-level access or higher, to execute malicious code on the server. The risk is significant, as an attacker could gain complete control of the website, compromise sensitive user data, inject malware, or perform other harmful actions. The vulnerability stems from how the plugin processes certain inputs, enabling the injection of code that is executed during processing. Immediate plugin updates are crucial to mitigate this risk. Failure to update could result in a security breach with severe consequences for the website and its visitors.
An attacker with Editor or higher access on a WordPress site using Spam Protect for Contact Form 7 and running a version prior to 1.2.10 can exploit this vulnerability. The attack typically involves injecting malicious code through a contact form, which is then executed by the plugin. The attacker could use this vulnerability to upload malicious files, modify the website’s database, or even take control of the server. The complexity of the attack depends on the attacker’s technical knowledge, but the vulnerability is inherently serious due to its potential for remote code execution. Authentication is a prerequisite, meaning the attacker needs to have a user account with the appropriate privileges.
Exploit Status
EPSS
0.10% (29% percentile)
CVSS Vector
The most effective solution to address this vulnerability is to immediately update the Spam Protect for Contact Form 7 plugin to version 1.2.10 or higher. This version contains the necessary fix to prevent the execution of malicious code. Additionally, it is recommended to perform a security audit of the website to identify and correct any potential additional vulnerabilities. Ensure you create a full website backup before performing the update. If you cannot update immediately, consider temporarily disabling the plugin until you can update it securely. Monitor your server logs for suspicious activity after the update to confirm the vulnerability has been resolved.
Update to version 1.2.10, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
If you cannot update the plugin immediately, disabling it temporarily is the best option to mitigate the risk. Update it as soon as possible.
In the WordPress admin dashboard, go to 'Plugins' and look for 'Spam Protect for Contact Form 7'. The current version will be displayed next to the plugin name.
Yes, all versions of the plugin prior to 1.2.10 are vulnerable, regardless of the website’s configuration.
The attacker could execute any type of code, including PHP scripts, that allows them to take control of the website or access sensitive data.
You can find more information about CVE-2026-1540 on vulnerability databases such as the NIST's National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.