CVE-2025-7645 HIGH

CVE-2025-7645: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion

Vendor Htplugins
Product Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Weakness CWE-22 · Path traversal
Published July 22, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Explanation of Vulnerability in Simple Terms

02Summary

Extensions For CF7 versions up to 3.2.8 contain a path traversal vulnerability that allows an attacker to modify or delete files on the site. The vulnerability requires user interaction—typically a victim clicking a malicious link. An attacker can alter site files, corrupt the database, or disable the site entirely without needing to log in.

What an attacker can do

03Attacker Capabilities

Modify or delete files on the site, including core WordPress files and the database.

Potential impact on your site

04Site Impact

Site files and database can be corrupted or deleted, potentially taking the site offline or exposing sensitive data.

Conditions required to exploit

05Prerequisites

Victim must click a malicious link or visit an attacker-controlled page; no login required.

Key dates

06Disclosure timeline

July 22, 2025 CVE published
April 8, 2026 Record updated