CVE-2026-25863

Name of the Vulnerable Software and Affected Versions Conditional Fields for Contact Form 7 WordPress plugin versions prior to 2.6.8

Description An uncontrolled resource consumption issue exists in the Wpcf7cfMailParser class. The hide hidden mail fields regex callback() method processes an iteration count from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can send an arbitrarily large integer via a REST API endpoint to trigger an unbounded loop with multiple preg replace() operations, leading to server memory exhaustion and PHP process crashes.

Recommendations Update the plugin to version 2.6.8 or later.