CVE-2026-1540

HighRCE

Published: 02 April 2026

Published

02 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1540 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by updating the vulnerable Spam Protect for Contact Form 7 plugin to version 1.2.10 or later, directly eliminating the insecure logging mechanism enabling RCE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict editor-level access required for exploitation, minimizing the number of users able to supply crafted headers for code injection.

CM-11 User-installed Software good match

prevent

Manages and approves user-installed software such as third-party WordPress plugins, preventing deployment of vulnerable versions like Spam Protect for Contact Form 7 prior to 1.2.10.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Direct RCE via code injection into PHP log file on public-facing WordPress plugin enables T1190 exploitation and T1505.003 web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

Deeper analysisAI

CVE-2026-1540 is a code injection vulnerability (CWE-94) in the Spam Protect for Contact Form 7 WordPress plugin, affecting versions prior to 1.2.10. The flaw arises from the plugin's capability to log data to a PHP file, which an attacker can abuse to achieve remote code execution (RCE) by supplying a crafted header. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires an attacker to possess editor-level privileges (PR:H) on the target WordPress site. With network access (AV:N) and low attack complexity (AC:L), no user interaction (UI:N) is needed, allowing the attacker to inject and execute arbitrary code remotely. This results in high confidentiality, integrity, and availability impacts (C:I:A:H), potentially leading to full site compromise.

The WPScan advisory at https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/ details the issue, with mitigation achieved by updating the plugin to version 1.2.10 or later, which addresses the insecure logging mechanism.

Details

CWE(s): CWE-94

CVEs Like This One

CVE-2025-66224Shared CWE-94

CVE-2026-26699Shared CWE-94

CVE-2026-2296Shared CWE-94

CVE-2024-50660Shared CWE-94

CVE-2024-13890Shared CWE-94

CVE-2026-3352Shared CWE-94

CVE-2025-70995Shared CWE-94

CVE-2023-53888Shared CWE-94

CVE-2026-27044Shared CWE-94

CVE-2025-69319Shared CWE-94

References

https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/
contact@wpscan.com