CVE-2025-8289

Name of the Vulnerable Software and Affected Versions: Redirection for Contact Form 7 plugin for WordPress versions prior to 3.2.5

Description: The Redirection for Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the delete associated files function. This issue affects unauthenticated attackers when a form with a file upload action is present on the site. The vulnerability requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated. The absence of a known PHP Object Payload (POP) chain within the vulnerable software means the vulnerability has no impact unless another plugin or theme containing a POP chain is installed. A usable gadget in the Contact Form 7 plugin enables arbitrary file deletion when installed with the vulnerable plugin.

Recommendations: Update the Redirection for Contact Form 7 plugin to version 3.2.5 or later. Ensure the 'Redirection For Contact Form 7 Extension - Create Post' extension is not installed or activated.