What is the CVSS score of CVE-2026-1540?

CVE-2026-1540 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-1540?

Spam Protect for Contact Form 7 WordPress plugin versions before 1.2.10 contain a remote code execution vulnerability that allows authenticated users with editor-level permissions to execute…. A patch is available.

Is there a public PoC exploit available for CVE-2026-1540?

Yes, a public proof-of-concept exploit is available for CVE-2026-1540. Prioritise patching immediately. EPSS: 0.0%.

PHP CVE-2026-1540

EUVD-2026-18128 HIGH

Code Injection (CWE-94)

2026-04-02 WPScan

GHSA-76vr-6c8c-grfj

PHP WordPress RCE Code Injection

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:09 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.10

PoC Detected

Apr 03, 2026 - 16:10 vuln.today

Public exploit code

EUVD ID Assigned

Apr 02, 2026 - 06:15 euvd

EUVD-2026-18128

Analysis Generated

Apr 02, 2026 - 06:15 vuln.today

CVE Published

Apr 02, 2026 - 06:00 nvd

HIGH 7.2

DescriptionNVD

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

AnalysisAI

Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.

RemediationAI

Within 24 hours: Identify all WordPress installations using Spam Protect for Contact Form 7 and determine current plugin versions; disable the plugin if version is below 1.2.10 and cannot be immediately updated. Within 7 days: Update Spam Protect for Contact Form 7 to version 1.2.10 or later across all affected installations; audit editor-level user accounts for unauthorized activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-6960 CRITICAL Act Now

9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-1540 vulnerability details – vuln.today

Back

PHP CVE-2026-1540

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code