Contact Form 7 < 6.0.6 – Order Replay Vulnerability | CVE 2025-3247 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Order Replay via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

Affects Plugins

Fixed in 6.0.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

7dbafbe2-abbc-4191-a587-afa89c2f7421

Timeline

Publicly Published

2025-04-15 (about 10 months ago)

Added

2025-04-16 (about 10 months ago)

Last Updated

2025-04-16 (about 10 months ago)

Other

Published

Title

Published

2025-12-15

Title

FAPI Member <= 2.2.29 - Unauthenticated Insecure Direct Object Reference

Published

2024-09-06

Title

ForumWP – Forum & Discussion Board Plugin < 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover

Published

2024-09-05

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.9 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update

Published

2026-01-02

Title

Verdure <= 1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2023-08-01

Title

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass