The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Querysol
Querysol redirection For Contact Form 7
Wordpress
Wordpress wordpress
Vendors & Products Querysol
Querysol redirection For Contact Form 7
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 20 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
Title Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2025-08-20T15:15:28.803Z

Reserved: 2025-07-24T19:08:42.997Z

Link: CVE-2025-8145

cve-icon Vulnrichment

Updated: 2025-08-20T13:57:21.811Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-20T03:15:35.857

Modified: 2025-08-20T14:39:07.860

Link: CVE-2025-8145

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-24T22:19:12Z