Platform
wordpress
Component
wpcf7-redirect
Fixed in
3.2.5
CVE-2025-8145 describes a critical PHP Object Injection vulnerability discovered in the Redirection for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious PHP objects, potentially leading to severe consequences, including arbitrary file deletion and, under specific server configurations, Remote Code Execution (RCE). The vulnerability impacts versions 0.0.0 through 3.2.4, and a patch is available in version 3.2.5.
The core of the vulnerability lies in the getleadfields function, which fails to properly sanitize deserialized input. An attacker can craft a malicious payload containing a PHP Object that, when deserialized, executes arbitrary code. The presence of a known PHP Object Injection (POI) chain within a Contact Form 7 plugin amplifies the risk, enabling attackers to delete files on the server. In environments where the webserver user has write access to sensitive files (e.g., configuration files, core WordPress files), this file deletion can be a precursor to more significant compromise. The potential for RCE, while dependent on server configuration, represents the most severe impact, allowing attackers to gain complete control over the affected WordPress instance.
CVE-2025-8145 was publicly disclosed on August 20, 2025. The vulnerability's ease of exploitation and potential for RCE suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, further increasing the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
1.26% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured to detect and block deserialization attacks can provide an additional layer of defense. Specifically, look for WAF rules that identify patterns associated with PHP Object Injection. Review and restrict file permissions for the webserver user to minimize the impact of potential file deletion. Monitor WordPress logs for suspicious activity, particularly deserialization errors or attempts to access sensitive files.
Update the Redirection for Contact Form 7 plugin to version 3.2.5 or higher to mitigate the PHP Object Injection vulnerability. This update corrects insecure data deserialization, preventing malicious code execution and potential file deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-8145 is a HIGH severity vulnerability allowing attackers to inject PHP Objects into the Redirection for Contact Form 7 plugin, potentially leading to file deletion and Remote Code Execution.
If you are using Redirection for Contact Form 7 versions 0.0.0 through 3.2.4, you are affected by this vulnerability.
Upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation.
Refer to the official Redirection for Contact Form 7 plugin website and WordPress security announcements for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.