CVE-2026-25863
Published: 04 May 2026
Summary
CVE-2026-25863 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25863 is an uncontrolled resource consumption vulnerability (CWE-1284) in the Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7. The flaw exists in the Wpcf7cfMailParser class's hide_hidden_mail_fields_regex_callback() method, which reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement, enabling unbounded loop execution with multiple preg_replace() operations.
Unauthenticated attackers can exploit the vulnerability remotely via the REST API endpoint by supplying an arbitrarily large integer value in POST parameters. This causes excessive resource consumption, exhausting server memory and crashing the PHP process, resulting in denial of service. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no requirements for privileges or user interaction.
Mitigation guidance is available in advisories such as the VulnCheck report at https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption and the plugin's developer documentation at https://wordpress.org/plugins/cf7-conditional-fields/#developers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27083
Vulnerability details
Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement.…
more
Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable flaw in a public-facing WordPress plugin that allows an unauthenticated attacker to trigger unbounded resource consumption via a single crafted REST API request, directly enabling application exhaustion and denial of service through software exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied inputs (the unbounded iteration count in POST parameters) before they are used to drive preg_replace loops.
Requires mechanisms to protect against or limit the effects of the exact denial-of-service condition (memory exhaustion via uncontrolled resource consumption) described in the CVE.
Supports allocation of finite resources and quotas that would bound the impact of the maliciously large iteration value supplied to the REST endpoint.