CVE-2025-3247: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 plugin for WordPress contains an Order Replay vulnerability (CVE-2025-3247) in versions up to and including 6.0.5. The vulnerability exists in the 'wpcf7stripeskipspamcheck' function due to insufficient validation of a user-controlled key. The issue was discovered by Asaf Mozes and was disclosed on April 15, 2025 (WPScan, NVD).

The vulnerability stems from insufficient validation in the Stripe payment processing functionality. It allows unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-354 (Improper Validation of Integrity Check Value) (NVD).

When exploited, the vulnerability allows attackers to reuse a single Stripe PaymentIntent multiple times. While only the first transaction is actually processed through Stripe, the plugin sends successful email confirmations for each replayed transaction. This can deceive administrators into fulfilling multiple orders based on a single payment (WPScan).

The vulnerability has been patched in Contact Form 7 version 6.0.6. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).