CVE-2026-11395

🗓️ 18 Jun 2026 06:50:06Reported by WordfenceType

Unauthenticated server-side forgery in a WordPress CF7 to Webhook up to version five via pull_the_trigger when the webhook host contains a field placeholder and the form is public.

Reporter	Title	Published	Views	Family All 5
Cvelist	CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host	18 Jun 202606:50	–	cvelist
EUVD	EUVD-2026-37863	18 Jun 202606:50	–	euvd
NVD	CVE-2026-11395	18 Jun 202608:16	–	nvd
Patchstack	WordPress CF7 to Webhook plugin <= 5.0.0 - Unauthenticated Server-Side Request Forgery vulnerability	18 Jun 202609:01	–	patchstack
Positive Technologies	PT-2026-50635	18 Jun 202600:00	–	ptsecurity

Vulners

Node

mariovalney cf7_to_webhookRange≤5.0.0wordpress

[
  {
    "vendor": "mariovalney",
    "product": "CF7 to Webhook",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "5.0.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/caa5b9aa-e98c-48fc-9e63-0a1380465918
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/zapier/class-module-zapier.php
plugins	www.plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/cf7/class-module-cf7.php
plugins	www.plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/cf7/class-module-cf7.php

18 Jun 2026 08:16Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.17.2

CWE-918