This vulnerability is an unrestricted file upload flaw in the RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database plugin. The plugin allows users to submit files without validating their type, letting the attacker upload a file that can be executed on the server. If the uploaded file is a web‑accessible script or PHP, it can run arbitrary code, compromising the entire site and potentially the hosting environment. The underlying weakness is identified as CWE‑434, which indicates an unsafe handling of user‑supplied file names and content.

The flaw affects any WordPress installation that has the RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database plugin installed with a version equal to or less than 3.0.0. No sub‑version or patch details are supplied, so all releases up to 3.0.0 are considered vulnerable.

The CVSS base score of 9.9 classifies this as critical, and the EPSS score remains below 1 %, indicating a low but non‑zero probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no confirmed exploits to date. An attacker would most likely exploit the site by submitting a malicious file through the plugin’s upload interface, which typically requires authenticated access to the WordPress dashboard or the public form page. Successful exploitation grants the attacker local code execution on the web server, with the potential to compromise confidentiality, integrity, and availability at the site or host level.