CVE-2025-8145

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-lead.php#L144
https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb275d5-ec4b-419f-84e1-84172d381411?source=cve

Configurations

No configuration.

History

20 Aug 2025, 14:39

Type	Values Removed	Values Added
Summary		(es) El complemento Redirection for Contact Form 7 para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 3.2.4 incluida, mediante la deserialización de entradas no confiables en la función get_lead_fields. Esto permite que atacantes no autenticados inyecten un objeto PHP. La presencia adicional de una cadena POP en un complemento de Contact Form 7 permite a los atacantes eliminar archivos arbitrarios. Además, en ciertas configuraciones de servidor, es posible la ejecución remota de código.

20 Aug 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 03:15

Updated : 2025-08-20 14:39

NVD link : CVE-2025-8145

Mitre link : CVE-2025-8145

CVE.ORG link : CVE-2025-8145

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

8.8 /10