CVE-2025-3247
Contact Form 7 <= 6.0.5 - Order Replay VulnerabilityThe Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
We have discovered 1,772,583 live websites that are affected by CVE-2025-3247.
Affected Software
| Product |  Contact Form 7 |
| Category | Form Builders |
| Vulnerable Domains | 1,772,583 live websites (49% of Contact Form 7 install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 116 versions ( 91% of all versions) |
Common Weakness Enumeration
CWE-354 Improper Validation of Integrity Check ValueDetails
- Published - Apr 16, 2025
- Updated - Apr 16, 2025
Credits
- Asaf Mozes (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-3247 United States | 338,881 websites |
 Germany | 178,012 websites |
 Japan | 165,360 websites |
 France | 114,501 websites |
 Italy | 100,770 websites |
 Russia | 75,801 websites |
 GB | 72,384 websites |
 Netherlands | 56,432 websites |
 Spain | 56,271 websites |
 Poland | 56,152 websites |
Website Distribution by TLD
Number of websites using CVE-2025-3247| .com | 680,165 websites |
| .de | 99,863 websites |
| .it | 71,056 websites |
| .ru | 61,281 websites |
| .org | 56,265 websites |
| .nl | 50,200 websites |
| .fr | 47,143 websites |
| .co.uk | 46,708 websites |
| .net | 44,177 websites |
| .pl | 42,380 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-3247
Top websites that are affected by CVE-2025-3247. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.br |  Brazil | *** | |
| **********.de | Germany | *** | |
| ********.com |  Singapore | *,*** | |
| ***.domains |  Bulgaria | *,*** | |
| ************.com | United States | *,*** | |
| *******.org | United States | *,*** | |
| ************.com | GB | *,*** | |
| ***************.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ***************.com | United States | *,*** |
FAQ
CVE-2025-3247 is Improper Validation of Integrity Check Value in Contact Form 7
A total of 1,772,583 websites have been identified as vulnerable to CVE-2025-3247, based on global website indexing conducted by WebTechSurvey.
The Contact Form 7 is affected by the CVE-2025-3247 vulnerability.
Contact Form 7 versions up to and including 6.0.5 are vulnerable to CVE-2025-3247.