Contact Form 7 Custom Validation
Vulnerabilities
2
Known exploited
0
Max CVSS
9.8
Top EPSS
0.00566
Severity breakdown
Critical
1
High
0
Medium
1
Low
0
Affected version ranges
< 6.0.6
Also matched as (raw): contact_form_7_custom_validation
Top vulnerabilities
CVE-2023-40609Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3.
CVE-2025-3247The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.