CVE-2025-8141 HIGH

CVE-2025-8141: Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion

Vendor Themeisle
Product Redirection for Contact Form 7
Weakness CWE-22 · Path traversal
Published August 20, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Explanation of Vulnerability in Simple Terms

02Summary

The Redirection for Contact Form 7 plugin versions 3.2.4 and earlier contain a path traversal vulnerability that allows an attacker to read or write arbitrary files on the site. An attacker must trick a site administrator into visiting a malicious link. This can lead to complete site compromise, including data theft and malware injection.

What an attacker can do

03Attacker Capabilities

Read or write arbitrary files on the server, potentially stealing data or injecting malware.

Potential impact on your site

04Site Impact

An attacker can steal sensitive files, modify site code, or inject malware if an admin is tricked into clicking a link.

Conditions required to exploit

05Prerequisites

Site administrator must click a malicious link or visit an attacker-controlled page.

Key dates

06Disclosure timeline

August 20, 2025 CVE published
April 8, 2026 Record updated