CVE-2025-3247
CVE-2025-3247 is a medium-severity vulnerability in Rocklobster Contact Form 7 with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-354.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 0% (14th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-11473
- Weakness: CWE-354
- Affected product: Rocklobster Contact Form 7
- Published:
- Last modified:
Description
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
Frequently asked questions
- What is CVE-2025-3247?
- The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
- How severe is CVE-2025-3247?
- CVE-2025-3247 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2025-3247 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-3247?
- CVE-2025-3247 affects Rocklobster Contact Form 7. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-3247?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-3247 have an EU (EUVD) identifier?
- Yes. CVE-2025-3247 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-11473.
- When was CVE-2025-3247 published?
- CVE-2025-3247 was published on 2025-04-16 and last updated on 2026-06-17.
References
- https://plugins.trac.wordpress.org/browser/contact-form-7/tags/6.0.5/modules/stripe/stripe.php#L114
- https://plugins.trac.wordpress.org/changeset/3270138/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac?source=cve
Affected products (1)
- cpe:2.3:a:rocklobster:contact_form_7:*:*:*:*:*:wordpress:*:*
More vulnerabilities in Rocklobster Contact Form 7
- CVE-2020-35489 — Critical (CVSS 10.0): The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote…
- CVE-2018-20979 — Critical (CVSS 9.8): The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in…
- CVE-2021-24159 — High (CVSS 8.8): Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a…
- CVE-2023-6449 — Medium (CVSS 6.6): The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type…
- CVE-2024-4704 — Medium (CVSS 6.1): The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL…
- CVE-2024-2242 — Medium (CVSS 6.1): The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’…
All CVEs affecting Rocklobster Contact Form 7 →
Other CWE-354 vulnerabilities
- CVE-2025-11543 — Critical (CVSS 9.8): Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may…
- CVE-2024-25678 — Critical (CVSS 9.8): In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.
- CVE-2023-33668 — Critical (CVSS 9.8): DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover…
- CVE-2017-15994 — Critical (CVSS 9.8): rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to…
- CVE-2026-49230 — Critical (CVSS 9.1): Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default…
- CVE-2026-34182 — Critical (CVSS 9.1): Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the…