Vulnerabilities and security researches forwpcf7-redirect wpcf7-redirect

Direction: descending

Aug 20, 2025

Redirection for Contact Form 7 # CVE-2025-8141

CVE, Research URL: CVE-2025-8141
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Aug 20, 2025
Research Description: The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2025-8289

CVE, Research URL: CVE-2025-8289
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Aug 20, 2025
Research Description: The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2025-8145

CVE, Research URL: CVE-2025-8145
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Aug 20, 2025
Research Description: The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
Affected versions: Min -, max -.
Status: vulnerable

Nov 14, 2024

Redirection for Contact Form 7 # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

Redirection for Contact Form 7 # CVE-2023-39920

CVE, Research URL: CVE-2023-39920
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in Themeisle Redirection for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirection for Contact Form 7: from n/a through 2.9.2.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

Redirection for Contact Form 7 # CVE-2021-24280

CVE, Research URL: CVE-2021-24280
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 14, 2021
Research Description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2021-24279

CVE, Research URL: CVE-2021-24279
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 14, 2021
Research Description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2021-36913

CVE, Research URL: CVE-2021-36913
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Oct 11, 2022
Research Description: Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2021-24282

CVE, Research URL: CVE-2021-24282
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 14, 2021
Research Description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2022-0250

CVE, Research URL: CVE-2022-0250
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: Jul 04, 2022
Research Description: The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2023-23990

CVE, Research URL: CVE-2023-23990
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 17, 2024
Research Description: Improper Privilege Management vulnerability in Qube One Ltd. Redirection for Contact Form 7 wpcf7-redirect allows Privilege Escalation.This issue affects Redirection for Contact Form 7: from n/a through 2.7.0.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2021-24281

CVE, Research URL: CVE-2021-24281
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 14, 2021
Research Description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
Affected versions: Min -, max -.
Status: vulnerable

Redirection for Contact Form 7 # CVE-2021-24278

CVE, Research URL: CVE-2021-24278
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Date: May 14, 2021
Research Description: In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
Affected versions: Min -, max -.
Status: vulnerable