{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32496", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:59.586Z", "dateUpdated": "2026-03-25T16:14:59.586Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-contact-form-7-spam-blocker", "product": "Spam Protect for Contact Form 7", "vendor": "NYSL", "versions": [{"changes": [{"at": "1.2.10", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.835Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.<p>This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.586Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-contact-form-7-spam-blocker/vulnerability/wordpress-spam-protect-for-contact-form-7-plugin-1-2-9-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Spam Protect for Contact Form 7 plugin <= 1.2.9 - Arbitrary File Deletion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9."}], "id": "CVE-2026-32496", "lastModified": "2026-03-25T17:17:01.383", "metrics": {}, "published": "2026-03-25T17:17:01.383", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-contact-form-7-spam-blocker/vulnerability/wordpress-spam-protect-for-contact-form-7-plugin-1-2-9-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:48:19.364497+00:00", "value": {"mitigation_remediation": ["Update Spam Protect for Contact Form 7 to a version newer than 1.2.9", "If an update is unavailable, uninstall the plugin"], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites running NYSL Spam Protect for Contact Form 7 plugin version 1.2.9 or earlier are affected. Any installation that has not updated beyond this release remains vulnerable and should be verified for compliance.", "description_and_impact": "Improper limitation of pathname to a restricted directory, known as path traversal, is present in the NYSL Spam Protect for Contact Form 7 plugin. This weakness allows an attacker who can exploit the plugin to reference files outside the intended plugin directory and delete them. The result is the loss of file integrity and the potential removal of sensitive files, which can affect confidentiality, integrity, and availability. The issue is classified under CWE\u201122.", "risk_and_exploitability": "The CVE description does not specify authentication requirements, so it is unclear whether a user must be authenticated to trigger the flaw. However, the vulnerability arises from a plugin endpoint that is accessible through a web request, indicating that it could be reachable from the public internet. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog, leaving the precise exploitation likelihood uncertain. Given that an attacker could delete arbitrary files, the severity can be considered high, especially for sites storing critical or sensitive data within the affected directories."}}}}, "created": "2026-03-25T21:43:32.481221+00:00", "updated": "2026-03-25T21:43:32.481259+00:00", "vendors": []}