CVE-2025-3247 Overview
CVE-2025-3247 is an Order Replay vulnerability affecting the Contact Form 7 plugin for WordPress. The vulnerability exists in all versions up to and including 6.0.5 within the wpcf7_stripe_skip_spam_check function due to insufficient validation on a user-controlled key. This flaw enables unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions.
While only the first transaction is actually processed through Stripe, the plugin generates and sends successful email confirmations for each replayed transaction attempt. This behavior can deceive administrators into believing multiple legitimate orders have been placed, potentially leading to fulfillment of fraudulent orders.
Critical Impact
Unauthenticated attackers can exploit the Order Replay flaw to generate fake order confirmations, potentially tricking administrators into shipping products or services without valid payment.
Affected Products
- Contact Form 7 versions up to and including 6.0.5
- WordPress installations with Contact Form 7 Stripe integration enabled
- rocklobster contact_form_7
Discovery Timeline
- 2025-04-16 - CVE-2025-3247 published to NVD
- 2025-07-08 - Last updated in NVD database
Technical Details for CVE-2025-3247
Vulnerability Analysis
The vulnerability is classified as CWE-354 (Improper Validation of Integrity Check Value). The core issue lies in the plugin's failure to properly validate the integrity and uniqueness of Stripe PaymentIntent identifiers when processing form submissions.
When a payment is initiated through Contact Form 7's Stripe integration, the plugin creates a PaymentIntent and associates it with the form submission. However, the wpcf7_stripe_skip_spam_check function does not adequately verify whether a PaymentIntent has already been used for a previous transaction. This allows an attacker to capture a valid PaymentIntent identifier from a legitimate transaction and replay it across multiple form submissions.
The attack requires no authentication, making it accessible to any external attacker who can interact with a vulnerable WordPress site. While the financial impact is limited since Stripe only processes the original payment, the business logic flaw creates a significant risk of order fraud through social engineering of site administrators.
Root Cause
The root cause is insufficient validation on user-controlled input within the Stripe payment processing module. Specifically, the wpcf7_stripe_skip_spam_check function at line 114 of the stripe.php module fails to implement proper integrity checks that would prevent the reuse of PaymentIntent identifiers. The absence of server-side tracking of consumed PaymentIntents allows the same payment token to be submitted multiple times, each generating a success notification.
Attack Vector
The attack is network-based and can be executed without authentication. An attacker would perform the following steps:
- Complete a legitimate transaction through a Contact Form 7 form with Stripe integration
- Capture the PaymentIntent identifier from the successful transaction
- Replay the captured PaymentIntent in subsequent form submissions
- Each replay generates a successful email notification to the administrator
- The administrator, seeing multiple order confirmations, may fulfill orders that were never actually paid
The vulnerability is particularly dangerous in e-commerce scenarios where administrators rely on email notifications as proof of payment. The technical details of the vulnerable code can be found in the WordPress Contact Form 7 Stripe Code reference.
Detection Methods for CVE-2025-3247
Indicators of Compromise
- Multiple order confirmation emails with identical or suspiciously similar PaymentIntent identifiers
- Discrepancies between Stripe dashboard transaction counts and order confirmation emails sent
- Form submissions containing previously used PaymentIntent values in server logs
- Unusual patterns of form submissions with valid payment tokens occurring in rapid succession
Detection Strategies
- Implement logging to track PaymentIntent identifiers used in form submissions and alert on duplicates
- Cross-reference Contact Form 7 email notifications with actual Stripe transactions in the payment dashboard
- Monitor WordPress error logs for patterns indicating replay attempts
- Deploy web application firewall rules to detect and block rapid sequential form submissions with identical payment parameters
Monitoring Recommendations
- Regularly audit Stripe transaction logs against order fulfillment records
- Set up alerts for multiple form submissions from the same IP address within short time windows
- Monitor for discrepancies between payment processor records and plugin-generated notifications
- Review Contact Form 7 submission logs for anomalous patterns indicating potential exploitation
How to Mitigate CVE-2025-3247
Immediate Actions Required
- Update Contact Form 7 to the latest patched version immediately
- Review recent order notifications and cross-reference with actual Stripe transactions
- Audit any orders processed during the exposure window for potential fraud
- Implement manual verification of payment status in Stripe dashboard before fulfilling orders
Patch Information
The vulnerability has been addressed by the vendor. The security fix is available in WordPress Changeset #3270138. Site administrators should update their Contact Form 7 installation to a version newer than 6.0.5 to receive the security patch. Additional vulnerability details are available in the Wordfence Vulnerability ID 38257 advisory.
Workarounds
- Temporarily disable Stripe payment integration in Contact Form 7 until the patch can be applied
- Implement a mandatory manual verification process requiring administrators to confirm payment in Stripe before order fulfillment
- Add server-side validation logic to track and reject previously used PaymentIntent identifiers
- Consider using alternative payment processing plugins with proper transaction integrity validation until the update is applied
# Update Contact Form 7 via WP-CLI
wp plugin update contact-form-7
# Verify the installed version
wp plugin list --name=contact-form-7 --fields=name,version
# Review recent form submissions for potential exploitation
wp db query "SELECT * FROM wp_posts WHERE post_type='wpcf7_contact_form' ORDER BY post_modified DESC LIMIT 10"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
