Redirection for Contact Form 7, CVE-2025-8145

CVE, Research URL: CVE-2025-8145
Home page URL: Security reports for Redirection for Contact Form 7
Application: Redirection for Contact Form 7
Published on: Aug 20, 2025
Research Description: The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
Affected versions: Min -, max 3.2.5.
Status: vulnerable