{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8141", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-24T16:21:17.311Z", "datePublished": "2025-08-20T01:44:36.793Z", "dateUpdated": "2026-04-08T17:34:28.152Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:28.152Z"}, "affected": [{"vendor": "themeisle", "product": "Redirection for Contact Form 7", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fafd0159-25ab-430d-88ef-c4d09d23baa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-save-files.php#L80"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "timeline": [{"time": "2025-07-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-19T12:31:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T13:56:55.523929Z", "id": "CVE-2025-8141", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:15:16.516Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-20T13:56:55.523929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T13:56:58.249Z"}}], "cna": {"title": "Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Tan Phat"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "themeisle", "product": "Redirection for Contact Form 7", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-08-19T12:31:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fafd0159-25ab-430d-88ef-c4d09d23baa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-save-files.php#L80"}], "descriptions": [{"lang": "en", "value": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:28.152Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8141", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:28.152Z", "dateReserved": "2025-07-24T16:21:17.311Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-20T01:44:36.793Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento Redirection for Contact Form 7 de WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n delete_associated_files en todas las versiones hasta la 3.2.4 incluida. Esto permite que atacantes no autenticados eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-8141", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-20T03:15:35.640", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-save-files.php#L80"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fafd0159-25ab-430d-88ef-c4d09d23baa7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:50:52.397658+00:00", "value": {"mitigation_remediation": ["Update the Redirection for Contact Form 7 plugin to the latest available version (3.2.5 or newer) to eliminate the deletion flaw", "If an immediate upgrade is not possible, remove the delete_associated_files functionality by deleting the file-wrapping code or disabling the plugin altogether", "Apply stricter file system permissions to prevent deletion of critical WordPress configuration files"], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated file deletion potentially leading to remote code execution"}, "threat_synthesis": {"affected_systems": "This problem exists in all releases of the Redirection for Contact Form 7 plugin up to version 3.2.4. The affected product is the WordPress plugin Redirection for Contact Form 7 distributed by Themeisle. Users running any of these versions on a WordPress site are at risk.", "description_and_impact": "The Redirection for Contact Form 7 plugin for WordPress contains a flaw in its delete_associated_files function that does not properly validate file paths. This flaw allows an attacker who can reach the plugin\u2019s interface to delete any file on the server. Removal of critical files such as wp-config.php can provide an attacker with the ability to gain remote code execution or compromise the site\u2019s integrity and availability. The weakness is identified as an arbitrary file deletion vulnerability (CWE-22).", "risk_and_exploitability": "With a CVSS score of 8.8 the vulnerability is considered high severity, although the EPSS score indicates a very low current exploitation likelihood (<1%). It is not listed in the CISA KEV catalog. The attack can be carried out by any unauthenticated user who can invoke the delete_associated_files routine, making the threat human\u2011friendly. Once the attacker deletes a file that is subsequently loaded by the server, remote code execution can be achieved without needing further access or credentials. Because the vulnerability does not require any advanced conditions, the risk to affected sites is considerable should an attacker locate a way to trigger the deletion endpoint."}}}}, "created": "2026-04-20T20:00:10.509611+00:00", "updated": "2026-04-20T20:00:10.509630+00:00", "vendors": []}