Plattform
wordpress
Komponente
extensions-for-cf7
Behoben in
3.2.9
CVE-2025-7645 is an arbitrary file deletion vulnerability affecting the Extensions For CF7 plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 3.2.8 of the plugin and is addressed in version 3.2.9.
The primary impact of CVE-2025-7645 is the potential for remote code execution (RCE). An attacker can exploit this vulnerability by crafting a malicious request to delete critical files, such as wp-config.php. Successful deletion of wp-config.php would grant the attacker complete control over the WordPress installation, allowing them to modify content, install malware, or compromise the entire system. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers. This vulnerability shares similarities with other file deletion vulnerabilities where the deletion of core configuration files can lead to full system compromise.
CVE-2025-7645 was publicly disclosed on 2025-07-22. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation and the potential for RCE.
WordPress websites utilizing the Extensions For CF7 plugin, particularly those running older versions (0.0.0–3.2.8), are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Websites with weak server configurations or inadequate access controls are also at increased risk.
• wordpress / composer / npm:
grep -r 'delete-file' /var/www/html/wp-content/plugins/extensions-for-cf7/• wordpress / composer / npm:
wp plugin list | grep 'Extensions For CF7'• wordpress / composer / npm:
wp plugin update extensions-for-cf7 --version=3.2.9• generic web: Check WordPress plugin directory for outdated versions of Extensions For CF7.
disclosure
Exploit-Status
EPSS
0.55% (68% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-7645 is to immediately upgrade the Extensions For CF7 plugin to version 3.2.9 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider restricting file access permissions on the WordPress server to limit the potential damage from a successful exploit. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the plugin's endpoints. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. After upgrading, verify the fix by attempting to delete a test file through the plugin's interface and confirming that the deletion fails.
Actualice el plugin Extensions For CF7 a la versión 3.2.9 o superior para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de la ruta del archivo, previniendo que atacantes no autenticados eliminen archivos sensibles en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-7645 is a vulnerability in the Extensions For CF7 WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if you are using Extensions For CF7 versions 0.0.0 through 3.2.8 on your WordPress website.
Upgrade the Extensions For CF7 plugin to version 3.2.9 or later to resolve the vulnerability.
There is currently no indication of active exploitation campaigns, but public PoCs are likely to emerge.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.