PT-2025-33894 · Unknown+1 · Contact Form 7+1
Phat Rio
·
Published
2025-08-20
·
Updated
2025-09-15
·
CVE-2025-8145
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Redirection for Contact Form 7 plugin for WordPress versions up to and including 3.2.4
Description:
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the
get lead fields function. This allows unauthenticated attackers to inject a PHP Object. The presence of a POP chain in the plugin allows attackers to delete arbitrary files. In certain server configurations, Remote Code Execution is possible.Recommendations:
Update the Redirection for Contact Form 7 plugin to a version later than 3.2.4.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Contact Form 7
Redirection For Contact Form 7