CVE-2025-7645
📋 TL;DR
The Extensions For CF7 WordPress plugin has an arbitrary file deletion vulnerability that allows unauthenticated attackers to delete any file on the server when an administrator deletes a form submission. This affects all WordPress sites using this plugin up to version 3.2.8, and can lead to complete site compromise by deleting critical files like wp-config.php.
💻 Affected Systems
- Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover via remote code execution by deleting wp-config.php or other critical system files, leading to data loss and server compromise.
Likely Case
Site defacement or disruption by deleting theme files, plugins, or configuration files, causing downtime and potential data loss.
If Mitigated
Limited impact if proper file permissions and web application firewalls are in place, though file deletion could still occur.
🎯 Exploit Status
Exploitation requires tricking an administrator into deleting a malicious form submission, but the actual file deletion is performed by unauthenticated attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.9 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Extensions For CF7' and click 'Update Now'. 4. Alternatively, download version 3.2.9+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate extensions-for-cf7
Restrict admin actions
allLimit which administrators can delete form submissions
🧯 If You Can't Patch
- Implement strict file permissions (e.g., chmod 644 for config files, 755 for directories)
- Deploy web application firewall (WAF) rules to block file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Extensions For CF7' version 3.2.8 or lowerCheck Version:
wp plugin get extensions-for-cf7 --field=versionVerify Fix Applied:
Verify plugin version is 3.2.9 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in web server logs
- POST requests to admin-ajax.php with 'delete-file' parameter
- 404 errors for critical files like wp-config.php
Network Indicators:
- HTTP POST requests containing file paths in parameters
- Requests to admin-ajax.php from unexpected sources
SIEM Query:
source="web_server" AND (uri_path="*/admin-ajax.php*" AND (param="delete-file" OR param_contains="/"))🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3330857%40extensions-for-cf7&new=3330857%40extensions-for-cf7&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/extensions-for-cf7/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/894b43ed-143d-4c0b-afd1-05fcd6fa5018?source=cve
