Skip to main content

Spam Protect For Contact Form 7 CVE-2026-32496

| EUVDEUVD-2026-15841 MEDIUM
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-w3cm-8fgm-q9x2
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 10:22 NVD
6.7 (MEDIUM) 6.8 (MEDIUM)
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15841
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.7

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9.

AnalysisAI

Path traversal in NYSL Spam Protect for Contact Form 7 up to version 1.2.9 enables authenticated attackers with high privileges to access files outside intended directories. The vulnerability requires administrator-level access and does not allow code execution or service disruption, but could expose sensitive configuration files or other restricted data. No patch is currently available.

Technical ContextAI

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal or directory traversal weakness. This occurs when an application fails to properly sanitize user-supplied input that is used to construct file system paths, allowing attackers to use special characters (such as ../ sequences) to navigate to parent directories and access files outside the intended scope. The affected product is NYSL Spam Protect for Contact Form 7 (CPE: cpe:2.3:a:nysl:spam_protect_for_contact_form_7:*:*:*:*:*:*:*:*), a WordPress plugin designed to filter spam submissions in Contact Form 7. The root cause stems from insufficient input validation or path canonicalization within the plugin's file handling routines.

RemediationAI

Immediately upgrade NYSL Spam Protect for Contact Form 7 to a version later than 1.2.9 (recommended 1.3.0 or later if available). Access the WordPress admin dashboard, navigate to Plugins, select this plugin, and update to the patched version, or download the latest version from the official WordPress plugin repository. Until an upgrade is possible, disable the plugin to prevent exploitation, and review WordPress access logs and file system integrity for signs of unauthorized file access or deletion. Implement file system permissions restrictions (principle of least privilege) to limit the plugin's write access to only necessary directories, and consider using WordPress security plugins with file integrity monitoring to detect malicious file operations.

Share

CVE-2026-32496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy