WordPress Conditional Fields for Contact Form 7 Uncontrolled Resource Consumption Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the WordPress plugin 'Conditional Fields for Contact Form 7', affecting versions prior to 2.7.3. The issue arises from the 'Wpcf7cfMailParser' class, specifically within the 'hide_hidden_mail_fields_regex_callback()' method. This method improperly handles user-supplied POST data, allowing unauthenticated attackers to send large integers via the REST API. The lack of validation or limits on these inputs can lead to infinite loop execution, using multiple 'preg_replace()' operations. This behavior exhausts server memory, causing the PHP process to crash.

Impact

Exploitation of this vulnerability leads to uncontrolled resource consumption, causing a denial-of-service condition by crashing the PHP process and exhausting server memory.

Remediation

Users can update to 'Conditional Fields for Contact Form 7' version 2.7.3 or later to address this vulnerability.