cleantalk
Vulnerabilities and Security Researches

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection), CVE-2025-7645

CVE, Research URL

CVE-2025-7645

Home page URL

Security reports for Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Application

Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)

Published on
Jul 22, 2025
Research Description
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions
Min -, max 3.2.9.
Status
vulnerable
Previous vulnerability researches
WP Delicious – Best WordPress Recipes Plugin (formerly Delicious Recipes) (CVE-2024-43935) , Aug 29, 2024
WP Delicious – Best WordPress Recipes Plugin (formerly Delicious Recipes) (CVE-2022-4974) , Nov 15, 2024
WP Delicious – Best WordPress Recipes Plugin (formerly Delicious Recipes) (CVE-2024-7626) , Sep 12, 2024
WP Delicious – Best WordPress Recipes Plugin (formerly Delicious Recipes) (CVE-2025-54023) , Jul 18, 2025
WP Delicious – Best WordPress Recipes Plugin (formerly Delicious Recipes) (69b9546984aa5697575c7b6215bb7578e9e1b2c0) , Jun 06, 2024
New vulnerability
CRM and Lead Management by vcita (CVE-2025-5240) , Jul 23, 2025
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor (CVE-2025-4685) , Jul 23, 2025
Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Galle (CVE-2025-7644) , Jul 23, 2025
bSecure – Your Universal Checkout (CVE-2025-6187) , Jul 23, 2025
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2025-6831) , Jul 23, 2025