Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion.
Published: 2025-08-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized PHP Object Injection
Action: Patch
AI Analysis

Impact

The Redirection for Contact Form 7 plugin for WordPress contains a PHP Object Injection vulnerability in all releases up to 3.2.4. The flaw resides in the delete_associated_files function where untrusted input is deserialized, allowing an unauthenticated attacker to inject a PHP object via PHAR deserialization. If successfully exploited, the attacker can delete arbitrary files, retrieve sensitive data, or potentially execute code, though code execution is possible only when a Point‑Off‑Protect chain exists in another plugin or theme installed on the same site.

Affected Systems

The affected software is the Redirection for Contact Form 7 plugin by themeisle, versions up to and including 3.2.4. The vulnerability can be exercised only when the "Redirection For Contact Form 7 Extension – Create Post" add‑on is also installed and activated, and when a Contact Form 7 form with a file‑upload action is present on the site. Sites running PHP version greater than 8 are not impacted by this flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of reporting. The flaw is not currently listed in the CISA KEV catalog. The likely attack vector is via the web form, meaning an unauthenticated remote attacker could submit crafted data to trigger the deserialization. Because the vulnerability alone permits only file deletion, the overall risk remains moderate, but the presence of any POP chain in installed plugins or themes can elevate the threat to arbitrary code execution.

Generated by OpenCVE AI on April 20, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Redirection for Contact Form 7 to the latest available version.
  • Disable or uninstall the "Redirection For Contact Form 7 Extension – Create Post" add‑on.
  • Remove or disable Contact Form 7 forms that include file‑upload functionality.
  • Identify and remediate any plugins or themes that provide a POP chain gadget; if none are present, the attack surface is minimal.
  • Upgrade the PHP runtime to a version newer than PHP 8 if the environment allows, which removes the vulnerability’s exploitation pathway.

Generated by OpenCVE AI on April 20, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28798 The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion.
History

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion.
Title Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:26.855Z

Reserved: 2025-07-28T20:44:04.810Z

Link: CVE-2025-8289

cve-icon Vulnrichment

Updated: 2025-08-20T13:57:10.202Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T03:15:36.040

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses