The Redirection for Contact Form 7 plugin lacks file type validation in the move_file_to_upload function, a weakness that permits attackers to copy any file from the site's server. The flaw is a CWE‑434, Missing Input Validation. An attacker can place a local file path or, when PHP’s allow_url_fopen is enabled, use a remote URL to upload files to arbitrary locations. These capabilities can lead to unauthorized disclosure, modification of files, or creation of files in privileged directories, threatening the confidentiality, integrity, and availability of the site.

The vulnerability affects the WordPress plugin Redirection for Contact Form 7 created by themeisle. All releases up to and including version 3.2.7 are impacted; newer releases are presumed to have fixed the issue.

The CVSS score of 8.1 classifies this flaw as high severity. An EPSS score of less than 1% suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The attack path is straightforward: an unauthenticated request to the plugin’s file‑handling endpoint can be crafted to copy any file on the server, or to upload a remote file if allow_url_fopen is enabled. These conditions indicate that, while exploitation requires no privileged access, it can be performed by remotely connected attackers with no authentication.