PT-2025-30383 · WordPress · Redirection+3
Published
2025-07-22
·
Updated
2025-07-22
·
CVE-2025-7645
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Extensions For CF7 versions up to and including 3.2.8
Description
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the
delete-file field. This allows unauthenticated attackers to delete arbitrary files on the server when an administrator deletes a submission. Deletion of specific files, such as wp-config.php, could lead to remote code execution.Recommendations
Versions prior to 3.2.9 are affected.
Update the Extensions For CF7 plugin to a version later than 3.2.8.
Fix
RCE
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Conditional Fields
Database For Contact Form 7
Extensions For Cf7
Redirection