cleantalk
Vulnerabilities and Security Researches

Redirection for Contact Form 7, CVE-2025-14800

CVE, Research URL

CVE-2025-14800

Home page URL

Security reports for Redirection for Contact Form 7

Application

Redirection for Contact Form 7

Published on
Dec 21, 2025
Research Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server.
Affected versions
max 3.2.8.
Status
vulnerable
Previous vulnerability researches
Redirection for Contact Form 7 (CVE-2023-39920) , Jun 10, 2024
Redirection for Contact Form 7 (CVE-2022-4974) , Nov 14, 2024
Redirection for Contact Form 7 (CVE-2025-8141) , Aug 20, 2025
Redirection for Contact Form 7 (CVE-2025-8289) , Aug 20, 2025
Redirection for Contact Form 7 (CVE-2025-8145) , Aug 20, 2025
New vulnerability
Kirki Customizer Framework (CVE-2026-8096) , May 22, 2026
Kirki Customizer Framework (CVE-2026-8073) , May 22, 2026
Five Star Restaurant Reservations – WordPress Booking Plugin (CVE-2026-42670) , May 22, 2026
GiveWP – Donation Plugin and Fundraising Platform (CVE-2026-42678) , May 21, 2026
Smart Coupons For WooCommerce Coupons (CVE-2026-45438) , May 21, 2026