{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1540", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-28T14:37:11.670Z", "datePublished": "2026-04-02T06:00:10.124Z", "dateUpdated": "2026-04-02T13:13:54.388Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T06:00:10.124Z"}, "title": "Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution", "problemTypes": [{"descriptions": [{"description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Spam Protect for Contact Form 7", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "1.2.10"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header"}], "references": [{"url": "https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Chiao-Lin Yu (Steven Meow)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:13:46.758483Z", "id": "CVE-2026-1540", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:13:54.388Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:13:46.758483Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:13:37.288Z"}}], "cna": {"title": "Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Chiao-Lin Yu (Steven Meow)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Spam Protect for Contact Form 7", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T06:00:10.124Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1540", "state": "PUBLISHED", "dateUpdated": "2026-04-02T13:13:54.388Z", "dateReserved": "2026-01-28T14:37:11.670Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-02T06:00:10.124Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header"}], "id": "CVE-2026-1540", "lastModified": "2026-04-02T14:16:25.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-02T06:16:22.337", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2.10)"}}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}]}, "original": {"product": "Spam Protect for Contact Form 7", "source": "cna", "vendor": "Unknown"}, "product": "spam_protect_for_contact_form_7", "vendor": "spam_protect_for_contact_form_7"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T15:27:05.563337+00:00", "value": {"mitigation_remediation": ["Upgrade Spam Protect for Contact Form 7 to version 1.2.10 or later", "If upgrading is not possible immediately, disable the plugin\u2019s logging feature or remove the plugin entirely", "Review and restrict editor and administrator roles to limit potential attackers\u2019 permissions", "Backup site files and database before applying any changes"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Spam Protect for Contact Form 7 plugin, specifically any installation with a version earlier than 1.2.10. The plugin is not linked to any major vendor, but any WordPress installation deploying it will be vulnerable if that version is in use.", "description_and_impact": "The vulnerability arises from the ability of the Spam Protect for Contact Form 7 plugin to log request data to a PHP file. When a user with editor privileges sends a specially crafted HTTP header, the log entry is interpreted as executable PHP code, allowing the attacker to run arbitrary commands on the server. This flaw maps to the CWE\u201194 code injection weakness and results in a full remote code execution scenario, jeopardizing confidentiality, integrity, and availability of the affected site.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high impact once bypassed, and with an EPSS of less than 1% the likelihood of public exploitation is currently low. The attack requires the attacker to possess at least editor-level access to the WordPress dashboard or to be able to send crafted POST requests against the plugin endpoint. Because of this requirement, the vulnerability mainly affects sites with many editor users or poorly managed role permissions. No entry in the CISA KEV list means no confirmed large\u2011scale exploitation so far, but the severity warrants prompt patching."}}}}, "created": "2026-04-02T20:15:42.629697+00:00", "updated": "2026-04-02T20:22:18.176114+00:00", "vendors": ["spam_protect_for_contact_form_7", "spam_protect_for_contact_form_7$PRODUCT$spam_protect_for_contact_form_7", "wordpress", "wordpress$PRODUCT$wordpress"]}