cleantalk
Vulnerabilities and Security Researches

Redirection for Contact Form 7, CVE-2025-8141

CVE, Research URL

CVE-2025-8141

Home page URL

Security reports for Redirection for Contact Form 7

Application

Redirection for Contact Form 7

Published on
Aug 20, 2025
Research Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions
Min -, max 3.2.5.
Status
vulnerable
Previous vulnerability researches
Redirection for Contact Form 7 (CVE-2023-39920) , Jun 10, 2024
Redirection for Contact Form 7 (CVE-2022-4974) , Nov 14, 2024
Redirection for Contact Form 7 (CVE-2025-8141) , Aug 20, 2025
Redirection for Contact Form 7 (CVE-2025-8289) , Aug 20, 2025
Redirection for Contact Form 7 (CVE-2025-8145) , Aug 20, 2025
New vulnerability
WP Activity Log , Aug 21, 2025
Online Booking & Scheduling Calendar for WordPress by vcita (CVE-2025-54677) , Aug 21, 2025
Superb Addons – WordPress Editor Blocks & Patterns and Elementor Sections & Elements , Aug 21, 2025
PHP Compatibility Checker , Aug 21, 2025
Infility Global (CVE-2025-47650) , Aug 21, 2025