平台
wordpress
组件
wpcf7-redirect
修复版本
3.2.5
CVE-2025-8145 describes a critical PHP Object Injection vulnerability discovered in the Redirection for Contact Form 7 plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious PHP objects, potentially leading to severe consequences, including arbitrary file deletion and, under specific server configurations, Remote Code Execution (RCE). The vulnerability impacts versions 0.0.0 through 3.2.4, and a patch is available in version 3.2.5.
The core of the vulnerability lies in the getleadfields function, which fails to properly sanitize deserialized input. An attacker can craft a malicious payload containing a PHP Object that, when deserialized, executes arbitrary code. The presence of a known PHP Object Injection (POI) chain within a Contact Form 7 plugin amplifies the risk, enabling attackers to delete files on the server. In environments where the webserver user has write access to sensitive files (e.g., configuration files, core WordPress files), this file deletion can be a precursor to more significant compromise. The potential for RCE, while dependent on server configuration, represents the most severe impact, allowing attackers to gain complete control over the affected WordPress instance.
CVE-2025-8145 was publicly disclosed on August 20, 2025. The vulnerability's ease of exploitation and potential for RCE suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is anticipated to emerge quickly, further increasing the risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the Redirection for Contact Form 7 plugin, particularly those with older versions (0.0.0–3.2.4), are at significant risk. Shared hosting environments where the webserver user has elevated privileges are especially vulnerable, as file deletion could lead to broader system compromise. Websites with misconfigured file permissions are also at increased risk.
• wordpress / composer / npm:
grep -r 'unserialize($_REQUEST[')' . ')' . ';' plugins/redirection/includes/class-redirection.php• wordpress / composer / npm:
wp plugin list --status=inactive | grep redirection• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for reports of exploitation or malicious plugin versions. • generic web: Review server access logs for unusual requests containing serialized data.
disclosure
patch
漏洞利用状态
EPSS
1.26% (79% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured to detect and block deserialization attacks can provide an additional layer of defense. Specifically, look for WAF rules that identify patterns associated with PHP Object Injection. Review and restrict file permissions for the webserver user to minimize the impact of potential file deletion. Monitor WordPress logs for suspicious activity, particularly deserialization errors or attempts to access sensitive files.
Actualice el plugin Redirection for Contact Form 7 a la versión 3.2.5 o superior para mitigar la vulnerabilidad de inyección de objetos PHP. Esta actualización corrige la deserialización insegura de datos, previniendo la ejecución de código malicioso y la posible eliminación de archivos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-8145 is a HIGH severity vulnerability allowing attackers to inject PHP Objects into the Redirection for Contact Form 7 plugin, potentially leading to file deletion and Remote Code Execution.
If you are using Redirection for Contact Form 7 versions 0.0.0 through 3.2.4, you are affected by this vulnerability.
Upgrade the Redirection for Contact Form 7 plugin to version 3.2.5 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation.
Refer to the official Redirection for Contact Form 7 plugin website and WordPress security announcements for the latest advisory and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。