What the vulnerability does
01Description
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Explanation of Vulnerability in Simple Terms
02Summary
Extensions For CF7 versions up to 3.2.8 contain a path traversal vulnerability that allows an attacker to modify or delete files on the site. The vulnerability requires user interaction—typically a victim clicking a malicious link. An attacker can alter site files, corrupt the database, or disable the site entirely without needing to log in.
What an attacker can do
03Attacker Capabilities
Modify or delete files on the site, including core WordPress files and the database.
Potential impact on your site
04Site Impact
Site files and database can be corrupted or deleted, potentially taking the site offline or exposing sensitive data.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit an attacker-controlled page; no login required.
Key dates
06Disclosure timeline
July 22, 2025
CVE published
April 8, 2026
Record updated