Skip to main content

CF7 to Webhook CVE-2026-11395

| EUVDEUVD-2026-37863 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-18 Wordfence GHSA-g67p-9qph-gpr2
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Unauthenticated network reach (AV:N/PR:N/UI:N), but AC:H because exploitation depends on a non-default admin configuration placing a CF7 placeholder in the URL host; scope changes to internal services with limited C/I impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:03 vuln.today
CVE Published
Jun 18, 2026 - 06:50 cve.org
HIGH 7.2

DescriptionCVE.org

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible.

AnalysisAI

Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public CF7 form using vulnerable plugin
Delivery
Probe webhook URL template for host-segment placeholder
Exploit
Submit form with crafted host value
Execution
Plugin substitutes attacker host via pull_the_trigger
Persist
WordPress server issues SSRF request to internal target
Impact
Exfiltrate or modify internal service data

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific, concurrent conditions, all called out in the advisory: the site must run CF7 to Webhook version 5.0.0 or earlier; a site administrator must have configured at least one webhook destination URL whose host segment contains a Contact Form 7 field placeholder (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 7.2 CVSS rating (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects unauthenticated network reach, low complexity, and a scope change to back-end services the attacker should not normally talk to - internal admin panels, cloud metadata endpoints (e.g. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WordPress sites that expose a public Contact Form 7 form wired to CF7 to Webhook and submits crafted field values that, after server-side templating, rewrite the webhook host to an internal target such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ or an internal admin API. The plugin's pull_the_trigger code path then issues that HTTP request from the WordPress server, returning data to (or mutating state on) services that should never be reachable from the public internet. …
Remediation Upstream fix available (commit/changeset 3562661 on the cf7-to-zapier trac repository); a released patched version above 5.0.0 is not independently confirmed from the supplied data, so administrators should upgrade to the latest available CF7 to Webhook release published after that changeset and verify the installed version on the WordPress plugins screen. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations using CF7 to Webhook plugin versions ≤5.0.0; audit webhook configurations for CF7 field placeholders in host portions; identify publicly reachable Contact Form 7 forms. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy