Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network reach (AV:N/PR:N/UI:N), but AC:H because exploitation depends on a non-default admin configuration placing a CF7 placeholder in the URL host; scope changes to internal services with limited C/I impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible.
Articles & Coverage 2
AnalysisAI
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three specific, concurrent conditions, all called out in the advisory: the site must run CF7 to Webhook version 5.0.0 or earlier; a site administrator must have configured at least one webhook destination URL whose host segment contains a Contact Form 7 field placeholder (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 7.2 CVSS rating (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects unauthenticated network reach, low complexity, and a scope change to back-end services the attacker should not normally talk to - internal admin panels, cloud metadata endpoints (e.g. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites that expose a public Contact Form 7 form wired to CF7 to Webhook and submits crafted field values that, after server-side templating, rewrite the webhook host to an internal target such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ or an internal admin API. The plugin's pull_the_trigger code path then issues that HTTP request from the WordPress server, returning data to (or mutating state on) services that should never be reachable from the public internet. … |
| Remediation | Upstream fix available (commit/changeset 3562661 on the cf7-to-zapier trac repository); a released patched version above 5.0.0 is not independently confirmed from the supplied data, so administrators should upgrade to the latest available CF7 to Webhook release published after that changeset and verify the installed version on the WordPress plugins screen. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations using CF7 to Webhook plugin versions ≤5.0.0; audit webhook configurations for CF7 field placeholders in host portions; identify publicly reachable Contact Form 7 forms. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37863
GHSA-g67p-9qph-gpr2