Cyber Resilience

CVE-2026-1540

HighRCE

Published: 02 April 2026

Published
02 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1540 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1540 is a code injection vulnerability (CWE-94) in the Spam Protect for Contact Form 7 WordPress plugin, affecting versions prior to 1.2.10. The flaw arises from the plugin's capability to log data to a PHP file, which an attacker can abuse to achieve remote code execution (RCE) by supplying a crafted header. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires an attacker to possess editor-level privileges (PR:H) on the target WordPress site. With network access (AV:N) and low attack complexity (AC:L), no user interaction (UI:N) is needed, allowing the attacker to inject and execute arbitrary code remotely. This results in high confidentiality, integrity, and availability impacts (C:I:A:H), potentially leading to full site compromise.

The WPScan advisory at https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/ details the issue, with mitigation achieved by updating the plugin to version 1.2.10 or later, which addresses the insecure logging mechanism.

EU & UK References

Vulnerability details

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct RCE via code injection into PHP log file on public-facing WordPress plugin enables T1190 exploitation and T1505.003 web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57487Shared CWE-94
CVE-2025-70995Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2026-45708Shared CWE-94
CVE-2023-53888Shared CWE-94
CVE-2024-50660Shared CWE-94
CVE-2026-26699Shared CWE-94
CVE-2025-70073Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by updating the vulnerable Spam Protect for Contact Form 7 plugin to version 1.2.10 or later, directly eliminating the insecure logging mechanism enabling RCE.

prevent

Enforces least privilege to restrict editor-level access required for exploitation, minimizing the number of users able to supply crafted headers for code injection.

prevent

Manages and approves user-installed software such as third-party WordPress plugins, preventing deployment of vulnerable versions like Spam Protect for Contact Form 7 prior to 1.2.10.

References