Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9.
AnalysisAI
Path traversal in NYSL Spam Protect for Contact Form 7 up to version 1.2.9 enables authenticated attackers with high privileges to access files outside intended directories. The vulnerability requires administrator-level access and does not allow code execution or service disruption, but could expose sensitive configuration files or other restricted data. No patch is currently available.
Technical ContextAI
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal or directory traversal weakness. This occurs when an application fails to properly sanitize user-supplied input that is used to construct file system paths, allowing attackers to use special characters (such as ../ sequences) to navigate to parent directories and access files outside the intended scope. The affected product is NYSL Spam Protect for Contact Form 7 (CPE: cpe:2.3:a:nysl:spam_protect_for_contact_form_7:*:*:*:*:*:*:*:*), a WordPress plugin designed to filter spam submissions in Contact Form 7. The root cause stems from insufficient input validation or path canonicalization within the plugin's file handling routines.
RemediationAI
Immediately upgrade NYSL Spam Protect for Contact Form 7 to a version later than 1.2.9 (recommended 1.3.0 or later if available). Access the WordPress admin dashboard, navigate to Plugins, select this plugin, and update to the patched version, or download the latest version from the official WordPress plugin repository. Until an upgrade is possible, disable the plugin to prevent exploitation, and review WordPress access logs and file system integrity for signs of unauthorized file access or deletion. Implement file system permissions restrictions (principle of least privilege) to limit the plugin's write access to only necessary directories, and consider using WordPress security plugins with file integrity monitoring to detect malicious file operations.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15841
GHSA-w3cm-8fgm-q9x2