CVE-2026-1540 PUBLISHED

Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution

Assigner: WPScan
Reserved: 28.01.2026 Published: 02.04.2026 Updated: 02.04.2026

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

Product Status

Vendor	Unknown
Product	Spam Protect for Contact Form 7
Versions	Default: unaffected affected from 0 to 1.2.10 (excl.)

Credits

Chiao-Lin Yu (Steven Meow) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95/

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE