CVE-2026-11395 mariovalney CVE debrief

Who should care

WordPress users and administrators who have installed the CF7 to Webhook plugin, especially those with publicly accessible forms, should be aware of this vulnerability and take immediate action to protect their sites. Security teams monitoring for potential SSRF attacks should also prioritize this CVE.

Technical summary

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) due to inadequate validation of user input. Specifically, the 'pull_the_trigger' functionality allows unauthenticated attackers to make arbitrary web requests. The vulnerability is characterized by the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. This means the vulnerability can be exploited remotely without authentication, and it has a moderate impact on confidentiality and integrity.

Defensive priority

High

Recommended defensive actions

• Update the CF7 to Webhook plugin to a version beyond 5.0.0 immediately.
• Review and restrict access to publicly accessible forms that use the CF7 to Webhook plugin.
• Monitor webhook URLs for suspicious activity and ensure they do not contain Contact Form 7 field placeholders in the host segment.
• Implement additional security measures to detect and prevent SSRF attacks.
• Regularly review and update all WordPress plugins and themes.
• Consider using a Web Application Firewall (WAF) to detect and block suspicious traffic.
• Educate administrators and users about the risks associated with this vulnerability.

Evidence notes

The information provided is based on data from official sources, including the National Vulnerability Database (NVD) and Wordfence security research. The CVE record and NVD detail pages provide comprehensive information about the vulnerability. Additional references from Wordfence offer insights into the vulnerability's discovery and exploitation.

Official resources