Description
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-07-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from insufficient validation of the file path supplied in the ‘delete‑file’ request field within the plugin. An unauthenticated attacker can craft a request that causes the plugin, when an administrator deletes a database entry, to delete any file on the server that the web process can reach. Because critical configuration files such as wp‑config.php may be removed, this can lead to remote code execution or site compromise. The weakness is classified as a path traversal / arbitrary file deletion flaw (CWE‑22).

Affected Systems

Any WordPress installation that has the Extensions For CF7 plugin, versions 3.2.8 or earlier. The vendor, htplugins, released the plugin under the name Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection). Sites running these versions that allow administrator deletion of form submissions are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 highlights a high severity, while the EPSS score of less than 1 % indicates that active exploitation is currently rare, but the vulnerability remains a high priority because it does not require authentication and could be leveraged to delete critical files. The flaw is not listed in the CISA KEV catalog. Attackers need only send a crafted delete‑file request to the plugin’s admin endpoint, which is accessible without authentication, allowing them to delete arbitrary files and potentially execute arbitrary code.

Generated by OpenCVE AI on April 21, 2026 at 03:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update to the Extensions For CF7 plugin to version 3.2.9 or later.
  • If an update cannot be performed immediately, disable the plugin entirely or remove it from the WordPress installation to eliminate the deletion capability.
  • Monitor the file system for unexpected deletions, maintain regular backups, and restore any critical files that have been inadvertently removed.

Generated by OpenCVE AI on April 21, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22296 The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Tue, 22 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:26.662Z

Reserved: 2025-07-14T15:47:06.572Z

Link: CVE-2025-7645

cve-icon Vulnrichment

Updated: 2025-07-22T15:08:10.830Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T07:15:23.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses