CVE-2025-3247 – The Contact Form 7 WordPress plugin has an orde... (How to Fix)

Q: What is the severity of CVE-2025-3247?

CVE-2025-3247 has a CVSS score of 5.3 (MEDIUM). The Contact Form 7 WordPress plugin has an order replay vulnerability that allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. While only the first transaction processes through Stripe, the plugin sends successful email confirmations for each attempt, potentially tricking administrators into fulfilling fraudulent orders. All WordPress sites using Contact Form 7 versions up to 6.0.5 with Stripe integration are affected.

📋 TL;DR

The Contact Form 7 WordPress plugin has an order replay vulnerability that allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. While only the first transaction processes through Stripe, the plugin sends successful email confirmations for each attempt, potentially tricking administrators into fulfilling fraudulent orders. All WordPress sites using Contact Form 7 versions up to 6.0.5 with Stripe integration are affected.

💻 Affected Systems

Products:

Contact Form 7 WordPress Plugin

Versions: All versions up to and including 6.0.5

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with Stripe payment module enabled. WordPress core itself is not vulnerable.

📦 What is this software?

Contact Form 7 by Rocklobster

View all CVEs affecting Contact Form 7 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrators fulfill multiple fraudulent orders based on fake email confirmations, resulting in financial loss, inventory depletion, and reputational damage.

🟠

Likely Case

Attackers exploit the vulnerability to generate multiple fake order confirmations, causing administrative confusion and potential fulfillment of some fraudulent orders.

🟢

If Mitigated

With proper monitoring and manual order verification processes, fraudulent orders are caught before fulfillment, minimizing financial impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires basic understanding of HTTP requests and Stripe integration. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.6 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3270138/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Contact Form 7 and click 'Update Now'. 4. Verify version is 6.0.6 or higher.

🔧 Temporary Workarounds

Disable Stripe Module

all

Temporarily disable Stripe payment functionality in Contact Form 7

Navigate to Contact → Integration in WordPress admin, disable Stripe

🧯 If You Can't Patch

Implement manual order verification process requiring Stripe dashboard confirmation before fulfillment
Add web application firewall rules to detect and block repeated payment intent reuse patterns

🔍 How to Verify

Check if Vulnerable:

Check Contact Form 7 plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin list --name=contact-form-7 --field=version

Verify Fix Applied:

Confirm Contact Form 7 version is 6.0.6 or higher and test Stripe payment flow

📡 Detection & Monitoring

Log Indicators:

Multiple successful payment emails for same PaymentIntent ID
Unusual spike in order confirmations without corresponding Stripe transactions

Network Indicators:

Repeated POST requests to wp-admin/admin-ajax.php with same payment_intent parameter

SIEM Query:

source="wordpress.log" AND "wpcf7_stripe" AND "payment_intent" | stats count by src_ip, payment_intent

📊 Metadata

CVE ID: CVE-2025-3247

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-354

EPSS Score: 0.16% exploit probability (37.3th percentile)

Published: April 16, 2025

Last Updated: July 8, 2025

🔗 References

https://plugins.trac.wordpress.org/browser/contact-form-7/tags/6.0.5/modules/stripe/stripe.php#L114 Broken Link,Product
https://plugins.trac.wordpress.org/changeset/3270138/ Broken Link,Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3247, you might also want to check these: