[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTJSsk55-b6WGG9ki6UabH8Vb5uDQjZnY728urZ8YLQM":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":48,"crawl_stats":38,"alternatives":52,"analysis":53,"fingerprints":189},"wp-contact-form-7-spam-blocker","Spam Protect for Contact Form 7","1.2.10","NYSL","https:\u002F\u002Fprofiles.wordpress.org\u002Fnysl\u002F","\u003Cp>Spam Protect for Contact Form 7, the ultimate solution to shield your website from the nuisance of spam and intrusive bots. With this incredible, user-friendly WordPress plugin, bid farewell to the hassle of sifting through irrelevant and unsolicited form submissions.\u003C\u002Fp>\n\u003Cp>Gone are the days of wasting precious time on spammy data, advertisements, and unwanted contact details cluttering your inbox. Our plugin empowers you to take control effortlessly. Simply navigate to the Contact Form 7 edit screen and discover the all-new tab, exclusively designed to combat spam.\u003C\u002Fp>\n\u003Cp>Customize your defense strategy by effortlessly adding emails, domains, or specific words and phrases to the block settings. As spammers and bots often employ consistent email domains and commonly used words for their marketing endeavors, you can now proactively prevent their mischief. Watch as their attempts to submit forms are thwarted, replaced by a sleek, custom error message of your choosing.\u003C\u002Fp>\n\u003Cp>But worry not about blocking genuine visitors inadvertently! Our innovative log file system provides you with insightful monitoring, allowing you to identify and understand each blocked attempt. Stay confident that you’re preserving the engagement of your valued audience while keeping the disruptive elements at bay.\u003C\u002Fp>\n\u003Cp>Experience the unrivaled convenience and effectiveness of Spam Protect for Contact Form 7 today. Streamline your website’s communication, protect your time, and bid farewell to spam like never before.\u003C\u002Fp>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Manually email block.\u003C\u002Fli>\n\u003Cli>Email domain block.\u003C\u002Fli>\n\u003Cli>Words and phrases block.\u003C\u002Fli>\n\u003Cli>Top level domains block.\u003C\u002Fli>\n\u003Cli>Protect form from messages that contain shortlinks.\u003C\u002Fli>\n\u003Cli>Protect from blank text submitions.\u003C\u002Fli>\n\u003Cli>Log the failed messages.\u003C\u002Fli>\n\u003C\u002Fol>\n","Spam Protect for Contact-Form7 protects from spam and bots. Customize defense strategies and monitor blocked attempts. Protect your time effectively!",10000,130910,82,12,"2026-02-06T21:29:00.000Z","6.8.5","5.2","5.4",[20,21,22,23,24],"anti-spam-plugin","contact-form-7-security","form-spam-prevention","website-form-protection","wordpress-form-security","https:\u002F\u002Fnysoftwarelab.com\u002Fspam-protect-for-contact-form7\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-spam-blocker.1.2.10.zip",99,1,0,"2026-03-20 00:00:00","2026-03-15T15:16:48.613Z",[33],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":6,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":30,"updated_date":44,"references":45,"days_to_patch":47},"CVE-2026-32496","spam-protect-for-contact-form-7-authenticated-editor-arbitrary-file-deletion","Spam Protect for Contact Form 7 \u003C= 1.2.9 - Authenticated (Editor+) Arbitrary File Deletion","The Spam Protect for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",null,"\u003C=1.2.9","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-03-27 18:33:46",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F76421c8e-de5f-4469-9a32-09976de873b4?source=api-prod",8,{"slug":49,"display_name":7,"profile_url":8,"plugin_count":28,"total_installs":11,"avg_security_score":27,"avg_patch_time_days":47,"trust_score":50,"computed_at":51},"nysl",93,"2026-04-05T13:53:20.356Z",[],{"attackSurface":54,"codeSignals":106,"taintFlows":121,"riskAssessment":176,"analyzedAt":188},{"hooks":55,"ajaxHandlers":102,"restRoutes":103,"shortcodes":104,"cronEvents":105,"entryPointCount":29,"unprotectedCount":29},[56,62,67,72,75,78,81,84,87,92,95,97,100],{"type":57,"name":58,"callback":59,"file":60,"line":61},"filter","wpcf7_editor_panels","spcf7_plugin_editor_panels","admin\\class-admin.php",46,{"type":63,"name":64,"callback":65,"file":60,"line":66},"action","wpcf7_after_save","spcf7_plugin_save_contact_form",49,{"type":57,"name":68,"callback":69,"priority":70,"file":71,"line":61},"wpcf7_validate_email","spcf_check_email",10,"frontend\\class-front.php",{"type":57,"name":73,"callback":69,"priority":70,"file":71,"line":74},"wpcf7_validate_email*",47,{"type":57,"name":76,"callback":77,"priority":70,"file":71,"line":66},"wpcf7_validate_text","spcf_check_text",{"type":57,"name":79,"callback":77,"priority":70,"file":71,"line":80},"wpcf7_validate_text*",50,{"type":57,"name":82,"callback":77,"priority":70,"file":71,"line":83},"wpcf7_validate_textarea",52,{"type":57,"name":85,"callback":77,"priority":70,"file":71,"line":86},"wpcf7_validate_textarea*",53,{"type":63,"name":88,"callback":89,"file":90,"line":91},"plugins_loaded","anonymous","includes\\class-blocker.php",97,{"type":63,"name":93,"callback":89,"file":90,"line":94},"admin_enqueue_scripts",108,{"type":63,"name":93,"callback":89,"file":90,"line":96},109,{"type":63,"name":98,"callback":89,"file":90,"line":99},"wp_enqueue_scripts",120,{"type":63,"name":98,"callback":89,"file":90,"line":101},121,[],[],[],[],{"dangerousFunctions":107,"sqlUsage":108,"outputEscaping":110,"fileOperations":119,"externalRequests":29,"nonceChecks":29,"capabilityChecks":29,"bundledLibraries":120},[],{"prepared":29,"raw":29,"locations":109},[],{"escaped":111,"rawEcho":112,"locations":113},31,2,[114,117],{"file":60,"line":115,"context":116},207,"raw output",{"file":60,"line":118,"context":116},212,3,[],[122,147,160],{"entryPoint":123,"graph":124,"unsanitizedCount":112,"severity":40},"spcf7_plugin_admin_post_settings (admin\\class-admin.php:69)",{"nodes":125,"edges":142},[126,131,137,140],{"id":127,"type":128,"label":129,"file":60,"line":130},"n0","source","$_GET (x8)",70,{"id":132,"type":133,"label":134,"file":60,"line":135,"wp_function":136},"n1","sink","echo() [XSS]",130,"echo",{"id":138,"type":128,"label":139,"file":60,"line":130},"n2","$_GET (x2)",{"id":141,"type":133,"label":134,"file":60,"line":115,"wp_function":136},"n3",[143,145],{"from":127,"to":132,"sanitized":144},true,{"from":138,"to":141,"sanitized":146},false,{"entryPoint":148,"graph":149,"unsanitizedCount":28,"severity":40},"spcf7_plugin_save_contact_form (admin\\class-admin.php:239)",{"nodes":150,"edges":158},[151,154],{"id":127,"type":128,"label":152,"file":60,"line":153},"$_POST",275,{"id":132,"type":133,"label":155,"file":60,"line":156,"wp_function":157},"fopen() [File Access]",294,"fopen",[159],{"from":127,"to":132,"sanitized":146},{"entryPoint":161,"graph":162,"unsanitizedCount":119,"severity":40},"\u003Cclass-admin> (admin\\class-admin.php:0)",{"nodes":163,"edges":172},[164,165,166,167,168,170],{"id":127,"type":128,"label":129,"file":60,"line":130},{"id":132,"type":133,"label":134,"file":60,"line":135,"wp_function":136},{"id":138,"type":128,"label":139,"file":60,"line":130},{"id":141,"type":133,"label":134,"file":60,"line":115,"wp_function":136},{"id":169,"type":128,"label":152,"file":60,"line":153},"n4",{"id":171,"type":133,"label":155,"file":60,"line":156,"wp_function":157},"n5",[173,174,175],{"from":127,"to":132,"sanitized":144},{"from":138,"to":141,"sanitized":146},{"from":169,"to":171,"sanitized":146},{"summary":177,"deductions":178},"The plugin 'wp-contact-form-7-spam-blocker' version 1.2.10 exhibits a generally strong security posture based on the provided static analysis.  The absence of any CVEs in its history and the reported zero critical or high severity vulnerabilities indicate a commitment to secure coding practices over time.  The code analysis reveals a clean slate regarding dangerous functions and external HTTP requests, and all SQL queries are properly prepared.  Furthermore, output escaping is largely effective, with 94% of outputs being properly escaped.  This suggests a mature and well-maintained plugin.\n\nHowever, a significant concern arises from the taint analysis, which identified three flows with unsanitized paths. While these did not reach a critical or high severity level, the presence of unsanitized paths, even if mitigated by other factors not detailed here, represents a potential area of weakness.  The plugin also lacks capability checks and nonce checks entirely, which, coupled with zero unprotected AJAX handlers or REST API routes, implies that these entry points are either not used or are protected by other means not immediately apparent in this report.  The file operations without context for their security implications also warrant a minor caution.\n\nIn conclusion, the plugin is largely secure, with a strong track record and good coding practices in place. The primary areas of concern are the identified unsanitized paths in the taint analysis and the complete absence of capability and nonce checks. These factors, while not currently manifesting as critical vulnerabilities, should be monitored and addressed for a more robust security posture.",[179,181,184,186],{"reason":180,"points":70},"Taint flows with unsanitized paths found",{"reason":182,"points":183},"No capability checks",5,{"reason":185,"points":183},"No nonce checks",{"reason":187,"points":119},"File operations present without detailed security context","2026-03-16T17:44:07.828Z",{"wat":190,"direct":203},{"assetPaths":191,"generatorPatterns":196,"scriptPaths":197,"versionParams":198},[192,193,194,195],"\u002Fwp-content\u002Fplugins\u002Fwp-contact-form-7-spam-blocker\u002Fadmin\u002Fcss\u002Fstyle.css","\u002Fwp-content\u002Fplugins\u002Fwp-contact-form-7-spam-blocker\u002Fadmin\u002Fjs\u002Fspcf7-admin.js","\u002Fwp-content\u002Fplugins\u002Fwp-contact-form-7-spam-blocker\u002Fpublic\u002Fcss\u002Fspcf7-public.css","\u002Fwp-content\u002Fplugins\u002Fwp-contact-form-7-spam-blocker\u002Fpublic\u002Fjs\u002Fspcf7-public.js",[],[],[199,200,201,202],"wp-contact-form-7-spam-blocker\u002Fadmin\u002Fcss\u002Fstyle.css?ver=","wp-contact-form-7-spam-blocker\u002Fadmin\u002Fjs\u002Fspcf7-admin.js?ver=","wp-contact-form-7-spam-blocker\u002Fpublic\u002Fcss\u002Fspcf7-public.css?ver=","wp-contact-form-7-spam-blocker\u002Fpublic\u002Fjs\u002Fspcf7-public.js?ver=",{"cssClasses":204,"htmlComments":209,"htmlAttributes":222,"restEndpoints":241,"jsGlobals":242,"shortcodeOutput":244},[205,206,207,208],"spcf7-notice","blocker-7-setting","blocker-7-setting-small","main-wrap",[210,211,212,213,214,215,216,217,218,219,220,218,221],"\u003C!-- If this file is called directly, abort. -->","\u003C!-- The code that runs during plugin activation. -->","\u003C!-- The code that runs during plugin deactivation. -->","\u003C!-- The core plugin class that is used to define internationalization, admin-specific hooks, and public-facing site hooks. -->","\u003C!-- Begins execution of the plugin... -->","\u003C!-- Since everything within the plugin is registered via hooks, then kicking off the plugin from this point in the file does not affect the page life cycle. -->","\u003C!-- The admin-specific functionality of the plugin. -->","\u003C!-- Constructor of the class. -->","\u003C!-- hook into contact form 7 form -->","\u003C!-- hook into contact form 7 admin form save -->","\u003C!-- hook notice function -->","\u003C!-- Default error message -->",[223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240],"id=\"wpcf7-block-email-list-id\"","id=\"wpcf7-block-email-domain-id\"","id=\"wpcf7-block-top-domain-id\"","id=\"wpcf7-protected-fields-id\"","id=\"wpcf7-block-words-id\"","id=\"wpcf7-block-shortlinks-id\"","id=\"wpcf7-block-logging-id\"","id=\"wpcf7-block-log-filename-id\"","id=\"wpcf7-block-email-error-msg-id\"","name=\"wpcf7_block_email_list\"","name=\"wpcf7_block_email_domain\"","name=\"wpcf7_block_top_domain\"","name=\"wpcf7_protected_fields\"","name=\"wpcf7_block_words\"","name=\"wpcf7_block_shortlinks\"","name=\"wpcf7_block_logging\"","name=\"wpcf7_block_log_filename\"","name=\"wpcf7_block_email_error_msg\"",[],[243],"window.spcf7_object",[]]