प्लेटफ़ॉर्म
wordpress
घटक
wpcf7-redirect
में ठीक किया गया
3.2.5
CVE-2025-8141 describes an arbitrary file access vulnerability affecting the Redirection for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 3.2.4 of the plugin, and a fix is available in version 3.2.5.
The primary impact of CVE-2025-8141 is the ability for an unauthenticated attacker to delete arbitrary files on a WordPress server. The vulnerability stems from insufficient file path validation within the deleteassociatedfiles function. While file deletion alone can disrupt website functionality, the most severe consequence arises when critical configuration files, such as wp-config.php, are targeted. Deletion of wp-config.php would effectively grant the attacker complete control over the WordPress installation, enabling remote code execution and data exfiltration. This vulnerability shares similarities with other file access vulnerabilities where improper validation allows for unauthorized modification or deletion of sensitive files, potentially leading to a complete compromise of the system.
CVE-2025-8141 was publicly disclosed on 2025-08-20. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation given the unauthenticated nature of the vulnerability suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the Redirection for Contact Form 7 plugin, particularly those running versions 0.0.0 through 3.2.4, are at risk. Shared hosting environments where users have limited control over server file permissions are especially vulnerable, as an attacker could potentially exploit this vulnerability to impact other websites hosted on the same server.
• wordpress / composer / npm:
wp plugin list --status=active | grep Redirection• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep Redirection• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/redirection-for-contact-form7/ -name 'delete_associated_files.php'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.35% (57% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-8141 is to immediately upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server to limit the impact of a successful attack, or implementing a Web Application Firewall (WAF) rule to block requests targeting the vulnerable deleteassociatedfiles function. Thoroughly test any configuration changes in a staging environment before applying them to production. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a non-authenticated user and confirming that file deletion is prevented.
Actualice el plugin Redirection for Contact Form 7 a la versión 3.2.5 o superior para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de las rutas de archivo, previniendo que atacantes no autenticados eliminen archivos sensibles en el servidor.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-8141 is a HIGH severity vulnerability in the Redirection for Contact Form 7 WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if your WordPress site uses Redirection for Contact Form 7 version 0.0.0 through 3.2.4. Upgrade immediately.
Upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or restricted file permissions.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor security advisories.
Refer to the official Redirection for Contact Form 7 plugin website and WordPress security announcements for the latest advisory and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।