CVE-2025-8145 HIGH

CVE-2025-8145: Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection

Vendor Themeisle

Product Redirection for Contact Form 7

Weakness CWE-502 · Unsafe deserialization

Published August 20, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible

Key dates

02Disclosure timeline

August 20, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-8145 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2025-8145: Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection

01Description

02Disclosure timeline

03References

04Related CVE