{"id":"CVE-2025-3247","details":"The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.","modified":"2026-04-10T05:25:10.855922Z","published":"2025-04-16T06:15:42.933Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/contact-form-7/tags/6.0.5/modules/stripe/stripe.php#L114"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/38257dbf-288e-4028-af65-85f5389888ac?source=cve"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset/3270138/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rocklobster-in/contact-form-7","events":[{"introduced":"0"},{"fixed":"1eb9ab2a19a642192b7a635d8a2283b898ad4845"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.0.6"}]}}],"versions":["v5.1.6","v5.1.7","v5.1.8","v5.1.9","v5.2","v5.2.1","v5.2.2","v5.3","v5.3.1","v5.4","v5.4-beta","v5.4-beta2","v5.4.1","v5.4.2","v5.5","v5.5.1","v5.5.2","v5.5.3","v5.5.4","v5.5.5","v5.5.6","v5.6","v5.6-alpha","v5.6-beta","v5.6.1","v5.6.2","v5.6.3","v5.7","v5.7.1","v5.7.2","v5.7.3","v5.7.4","v5.7.5","v5.7.5.1","v5.7.6","v5.7.7","v5.8.0","v5.8.1","v5.8.2","v5.8.5","v5.8.6","v5.8.7","v5.9.0","v5.9.1","v5.9.2","v5.9.3","v5.9.4","v5.9.5","v5.9.6","v5.9.7","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3247.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}