High severity7.2NVD Advisory· Published Apr 2, 2026· Updated Apr 15, 2026

CVE-2026-1540

Description

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

Affected products

WordPress/Spam Protect For Contact Form 7inferred
Range: <1.2.10
Package: https://wordpress.org/plugins/spam-protect-for-contact-form-7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/nvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000