Cyber Resilience

CVE-2026-25863

HighPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25863 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25863 is an uncontrolled resource consumption vulnerability (CWE-1284) in the Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7. The flaw exists in the Wpcf7cfMailParser class's hide_hidden_mail_fields_regex_callback() method, which reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement, enabling unbounded loop execution with multiple preg_replace() operations.

Unauthenticated attackers can exploit the vulnerability remotely via the REST API endpoint by supplying an arbitrarily large integer value in POST parameters. This causes excessive resource consumption, exhausting server memory and crashing the PHP process, resulting in denial of service. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no requirements for privileges or user interaction.

Mitigation guidance is available in advisories such as the VulnCheck report at https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption and the plugin's developer documentation at https://wordpress.org/plugins/cf7-conditional-fields/#developers.

EU & UK References

Vulnerability details

Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement.…

more

Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remotely exploitable flaw in a public-facing WordPress plugin that allows an unauthenticated attacker to trigger unbounded resource consumption via a single crafted REST API request, directly enabling application exhaustion and denial of service through software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47824Shared CWE-1284
CVE-2021-47831Shared CWE-1284
CVE-2021-47827Shared CWE-1284
CVE-2021-47821Shared CWE-1284
CVE-2026-8813Shared CWE-1284
CVE-2021-47818Shared CWE-1284
CVE-2025-12664Shared CWE-1284
CVE-2025-65548Shared CWE-1284
CVE-2024-20149Shared CWE-1284
CVE-2025-14511Shared CWE-1284

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied inputs (the unbounded iteration count in POST parameters) before they are used to drive preg_replace loops.

prevent

Requires mechanisms to protect against or limit the effects of the exact denial-of-service condition (memory exhaustion via uncontrolled resource consumption) described in the CVE.

prevent

Supports allocation of finite resources and quotas that would bound the impact of the maliciously large iteration value supplied to the REST endpoint.

References