[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXmmYHQbHXWreWIHuz3Zz-em77Y8sAM2m7yldev2pUf0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-1540","spam-protect-for-contact-form-7-authenticated-editor-remote-code-execution","Spam Protect for Contact Form 7 \u003C 1.2.10 - Authenticated (Editor+) Remote Code Execution","The Spam Protect for Contact Form 7 plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 1.2.10 (exclusive). This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.","wp-contact-form-7-spam-blocker",null,"\u003C1.2.10","1.2.10","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-03-12 00:00:00","2026-04-15 19:40:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F13dbda83-d309-4723-9876-1b19f5ab4620?source=api-prod",35,[22,23,24],"README.txt","admin\u002Fclass-admin.php","spam-protect-for-contact-form7.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-1540\n\n## 1. Vulnerability Summary\nThe **Spam Protect for Contact Form 7** plugin (up to version 1.2.9) is vulnerable to **Remote Code Execution (RCE)** via an arbitrary file write\u002Finjection vulnerability. The plugin allows users with Editor-level permissions (or higher) to define a custom filename for spam logs. Because the plugin does not restrict the file extension or sanitize the file path, an attacker can specify a `.php` filename. When the plugin logs a blocked spam attempt, it writes submitted form data (which can contain PHP code) into the specified file, leading to server-side code execution.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: The Contact Form 7 (CF7) editor and the public form submission endpoint.\n- **Hook**: `wpcf7_after_save` (triggered when saving CF7 settings) and CF7 submission validation hooks (triggered on form submission).\n- **Vulnerable Parameter**: `wpcf7_block_log_filename` (settings) and form fields like `your-message` (injection).\n- **Authentication**: Authenticated Editor+ level access is required to modify the settings. Unauthenticated access is sufficient to trigger the log entry (and thus the RCE) once the setting is configured.\n- **Preconditions**:\n    - Contact Form 7 must be installed and active.\n    - A contact form must exist.\n\n## 3. Code Flow\n1. **Setting Definition**: In `admin\u002Fclass-admin.php`, the plugin registers an \"Antispam Settings\" tab for CF7.\n2. **Metadata Storage**: When the \"Save\" button is clicked in the CF7 editor, the `wpcf7_after_save` hook calls `spcf7_plugin_save_contact_form` (inferred). This function saves the `_wpcf7_block_log_filename` meta key.\n3. **Log Check**: The `spcf7_plugin_admin_post_settings` function in `admin\u002Fclass-admin.php` retrieves this filename and checks its size using:\n   `filesize(\"..\u002Fwp-content\u002F\".$wpcf7_block_log_filename)`. (Line 92).\n4. **Log Writing**: When a user submits a CF7 form, the blocker logic (in `includes\u002Fclass-blocker.php`) checks if the submission is spam based on the saved settings.\n5. **Trigger**: If a blocked value (e.g., a specific email) is used, the plugin calls a logging function. This function uses the `_wpcf7_block_log_filename` (e.g., `shell.php`) and prepends `..\u002Fwp-content\u002F`.\n6. **Sink**: The log entry, including the submitted \"message\" or \"IP\", is written to `wp-content\u002Fshell.php` via `fopen`\u002F`fwrite` or `file_put_contents`.\n\n## 4. Nonce Acquisition Strategy\nTo update the plugin settings, the attacker must submit a POST request to the CF7 save","The Spam Protect for Contact Form 7 plugin allows authenticated users with Editor-level permissions to set a custom log filename without extension validation. An attacker can set the log filename to a .php file, then trigger a spam-blocked form submission containing a PHP payload, which is subsequently written to the log file in the wp-content directory, resulting in Remote Code Execution.","\u002F\u002F admin\u002Fclass-admin.php L271\n\n        \u002F\u002F Log filename\n        $wpcf7_block_log_filename = sanitize_text_field( preg_replace('\u002F[\\x00-\\x1F\\x80-\\xFF]\u002F', '', $_POST['wpcf7_block_log_filename'] ) );\n        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));\n\n---\n\n\u002F\u002F admin\u002Fclass-admin.php L92\n\n        if ($wpcf7_block_log_filename != \"\") { $log_file_size = filesize(\"..\u002Fwp-content\u002F\".$wpcf7_block_log_filename); }else{ $log_file_size = filesize(\"..\u002Fwp-content\u002Fspcf_spam_block.log\"); }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.9\u002Fadmin\u002Fclass-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.10\u002Fadmin\u002Fclass-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.9\u002Fadmin\u002Fclass-admin.php\t2025-08-16 18:17:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-contact-form-7-spam-blocker\u002F1.2.10\u002Fadmin\u002Fclass-admin.php\t2026-02-06 21:29:26.000000000 +0000\n@@ -83,6 +83,8 @@\n         $can_send_request = false;\n \n         if ($wpcf7_block_log_filename != \"\") { $log_file_size = filesize(\"..\u002Fwp-content\u002F\".$wpcf7_block_log_filename); }else{ $log_file_size = filesize(\"..\u002Fwp-content\u002Fspcf_spam_block.log\"); }\n+        if (empty($wpcf7_block_log_filename)) { $wpcf7_block_log_filename = \"spcf_spam_block.log\"; }\n+\n         $log_file_size_str = 0;\n         if ($log_file_size > 0 && $log_file_size \u003C 1024000){\n             $log_file_size_str = round($log_file_size \u002F1024, 2).\" KB\";\n@@ -184,8 +186,8 @@\n                 \u003Cdiv class=\"block-error-msg\">\n                     \u003Ch3 class=\"blocker-7-setting second\">Set your log file filename. \u003Cspan>\u003Csmall>(optional)\u003C\u002Fsmall>\u003C\u002Fspan>\u003C\u002Fh3>\n                     \u003Cp>\u003Csmall class=\"blocker-7-setting-small\">\n-                        Please specify the filename you prefer for storing the log. For instance, 'spcf_spam_block.log' (recommended), 'mylog.txt,' or '[random-secret-name].html.' \u003Cbr>\n-                    You may leave this field blank to use the default value. Utilize this field to manage different log files for multiple contact forms across your site. \u003Cbr>\n+                    Please specify the filename you prefer for storing the log. For instance, 'spcf_spam_block.log' (recommended), 'myform.log,' or '[random-name].log', extension must always be (.log). \u003Cbr>\n+                    You may leave this field blank to use the default value 'spcf_spam_block.log'. You can utilize this field to manage different log files for multiple contact forms across your site. \u003Cbr>\n                     IMPORTANT: Ensure your server supports MIME file extensions for download or viewing, and ensure the file does not already exist or is being used by another plugin.\n                     \u003C\u002Fsmall>\u003C\u002Fp>\n                     \u003Cinput type=\"text\" name=\"wpcf7_block_log_filename\" id=\"wpcf7-block-log-filename-id\" \n@@ -271,7 +273,17 @@\n \n         \u002F\u002F Log filename\n         $wpcf7_block_log_filename = sanitize_text_field( preg_replace('\u002F[\\x00-\\x1F\\x80-\\xFF]\u002F', '', $_POST['wpcf7_block_log_filename'] ) );\n-        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));\n+        \u002F\u002F Ensure filename is not empty and ends with .log\n+        if (!empty($wpcf7_block_log_filename)) {\n+            \u002F\u002F Ensure filename ends with .log\n+            if (pathinfo($wpcf7_block_log_filename, PATHINFO_EXTENSION) !== 'log') {\n+                $wpcf7_block_log_filename .= '.log';\n+            }\n+        } else {\n+            $wpcf7_block_log_filename = \"spcf_spam_block.log\";\n+        }\n+        \n+        update_post_meta($post_id, \"_wpcf7_block_log_filename\", trim($wpcf7_block_log_filename));        \n \n         \u002F\u002FErase Log\n         $erase_log = sanitize_text_field($_POST['wpcf7_block_log_erase']);","To exploit this vulnerability, an attacker with Editor-level access or higher must first modify the Antispam Settings for a Contact Form 7 instance. The attacker updates the `wpcf7_block_log_filename` setting to a PHP filename (e.g., `shell.php`). Then, the attacker or an unauthenticated user submits a form that triggers a spam block (for example, by including a blacklisted word). In this submission, the attacker includes a malicious PHP payload (e.g., `\u003C?php system($_GET['cmd']); ?>`) in one of the form fields. The plugin writes this submission data into the specified log file at `wp-content\u002Fshell.php`, which the attacker can then access directly to execute code.","gemini-3-flash-preview","2026-04-18 04:02:23","2026-04-18 04:03:10",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.2.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags\u002F1.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-spam-blocker.1.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags\u002F1.2.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-contact-form-7-spam-blocker.1.2.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-contact-form-7-spam-blocker\u002Ftags"]