Redirection for Contact Form 7

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Basic Information

ID CVE-2025-8141

Source Wordfence

Published Aug 20, 2025 at 01:44

Affected Product

Vendor themeisle

Product Redirection for Contact Form 7

Version *

Affected Versions themeisle Redirection for Contact Form 7 *

CWE Classification

CWE-22

AI Assessment

AI Score 8.8 / 10

AI Severity HIGH

Vendor themeisle

Product Redirection for Contact Form 7

Version <=3.2.4

References

{
    "lastseen": "",
    "description": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
    "published": "2025-08-20T01:44:36.793Z",
    "modified": "2025-08-20T01:44:36.793Z",
    "type": "cve",
    "title": "Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fafd0159-25ab-430d-88ef-c4d09d23baa7?source=cve\nhttps://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-save-files.php#L80",
    "id": "CVE-2025-8141",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "themeisle Redirection for Contact Form 7 *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Redirection for Contact Form 7",
    "version": "*",
    "vendor": "themeisle",
    "ai_description": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
    "ai_severity": "HIGH",
    "ai_vendor": "themeisle",
    "ai_product": "Redirection for Contact Form 7",
    "ai_version": "<=3.2.4",
    "ai_score": 8.8
}

Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion_CVE-2025-8141