Home

Description

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

PUBLISHED Reserved 2026-01-28 | Published 2026-04-02 | Updated 2026-04-02 | Assigner WPScan

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version before 1.2.10
affected

Credits

Chiao-Lin Yu (Steven Meow) finder

WPScan coordinator

References

wpscan.com/...rability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/ exploit vdb-entry technical-description

cve.org (CVE-2026-1540)

nvd.nist.gov (CVE-2026-1540)

Download JSON