CVE-2026-25863

CVE-2026-25863 is an uncontrolled resource consumption vulnerability (CWE-1284) in the Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7. The flaw exists in the Wpcf7cfMailParser class's hide_hidden_mail_fields_regex_callback() method, which reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement, enabling unbounded loop execution with multiple preg_replace() operations.

Unauthenticated attackers can exploit the vulnerability remotely via the REST API endpoint by supplying an arbitrarily large integer value in POST parameters. This causes excessive resource consumption, exhausting server memory and crashing the PHP process, resulting in denial of service. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no requirements for privileges or user interaction.

Mitigation guidance is available in advisories such as the VulnCheck report at https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption and the plugin's developer documentation at https://wordpress.org/plugins/cf7-conditional-fields/#developers.