CVE-2025-8289
📋 TL;DR
This vulnerability in the Redirection for Contact Form 7 WordPress plugin allows unauthenticated attackers to perform PHP object injection when specific conditions are met. Sites running WordPress with this plugin up to version 3.2.4, PHP ≤7, the 'Redirection For Contact Form 7 Extension - Create Post' extension, and Contact Form 7 with file upload forms are affected. The impact depends on whether other plugins/themes provide POP chains for exploitation.
💻 Affected Systems
- Redirection for Contact Form 7 WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file deletion, sensitive data exposure, or remote code execution if a suitable POP chain exists from another plugin/theme.
Likely Case
Arbitrary file deletion due to known gadget in Contact Form 7 when combined with this plugin.
If Mitigated
No impact if PHP >8, the required extension is not active, or no POP chain exists from other components.
🎯 Exploit Status
Exploitation requires specific plugin combinations and PHP version constraints. No known POP chain in vulnerable plugin alone, but Contact Form 7 provides gadget for file deletion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.2.4
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.4/classes/class-wpcf7r-save-files.php#L80
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Redirection for Contact Form 7'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable extension
allDeactivate the 'Redirection For Contact Form 7 Extension - Create Post' extension to prevent exploitation.
wp plugin deactivate wpcf7-redirect-extension-create-post
Upgrade PHP version
linuxUpdate PHP to version 8.0 or higher as vulnerability does not affect PHP >8.
sudo apt update && sudo apt upgrade php
🧯 If You Can't Patch
- Disable the Redirection for Contact Form 7 plugin entirely until patched.
- Remove file upload functionality from Contact Form 7 forms to eliminate attack vector.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Redirection for Contact Form 7' version ≤3.2.4, verify PHP version ≤7, and check if 'Redirection For Contact Form 7 Extension - Create Post' is active.Check Version:
wp plugin get wpcf7-redirect --field=versionVerify Fix Applied:
Confirm plugin version is >3.2.4 in WordPress admin panel and check that the delete_associated_files function no longer deserializes untrusted input.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php with serialized data
- File deletion events in WordPress uploads directory without user action
Network Indicators:
- HTTP requests containing serialized PHP objects (O: syntax) to WordPress endpoints
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" OR "admin-post.php") AND "delete_associated_files"