The vulnerability arises from the Wpcf7cfMailParser class within the plugin, where the hide_hidden_mail_fields_regex_callback() method handles an iteration count directly from user-supplied POST parameters. This design lacks validation and upper bound enforcement, meaning attackers can specify an exceedingly large integer causing the server to perform unbounded loop executions. This process involves multiple preg_replace() operations, which can lead to excessive memory use and potential server crashes. The lack of input filtering from unauthenticated parties through the REST API endpoint exacerbates the risk, making the exploitation feasible by remote attackers without prior access. This can lead to service disruption and denial of service conditions, affecting the availability of the site and its operations.

To mitigate this vulnerability, restrict access to the affected REST API endpoint to authenticated users only. Implement rate limiting on the number of requests that can be made to the REST API. Validate and sanitize user inputs rigorously, especially those that influence loop iterations or resource allocation. Consider disabling the plugin if not critical to your site's operation until a patch is applied or the vulnerability is officially addressed.