CVE-2025-6220
📋 TL;DR
The Ultra Addons for Contact Form 7 WordPress plugin has a vulnerability that allows authenticated administrators to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. Only sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Ultra Addons for Contact Form 7 WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers with administrator access upload malicious files (like PHP webshells) to gain persistent access and execute arbitrary code on the server.
If Mitigated
If proper file upload restrictions and web application firewalls are in place, exploitation attempts would be blocked or detected.
🎯 Exploit Status
Exploitation requires administrator credentials. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.13
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3288584/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Ultra Addons for Contact Form 7'. 4. Click 'Update Now' if available, or download version 3.5.13+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Ultra Addons for Contact Form 7 plugin until patched
wp plugin deactivate ultimate-addons-for-contact-form-7
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in WordPress uploads directory
Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>
🧯 If You Can't Patch
- Remove administrator access from untrusted users and implement strong password policies
- Implement web application firewall rules to block suspicious file uploads and PHP execution attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Ultra Addons for Contact Form 7' version 3.5.12 or lowerCheck Version:
wp plugin get ultimate-addons-for-contact-form-7 --field=versionVerify Fix Applied:
Verify plugin version is 3.5.13 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to WordPress admin area
- PHP file creation in uploads directory from admin users
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from unusual locations
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "action=save_options") AND ("upload" OR ".php")🔗 References
- https://github.com/d0n601/CVE-2025-6220
- https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/admin/tf-options/classes/UACF7_Settings.php#L894-920
- https://plugins.trac.wordpress.org/changeset/3288584/
- https://ryankozak.com/posts/cve-2025-6220/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/697f3432-63b7-42d6-b188-812165cd2020?source=cve
