Arbitrary File Deletion Vulnerability in Contact Form 7 Plugin for WordPress
CVE-2025-8141

8.8HIGH

Key Information:

Vendor: WordPress
Status: Redirection For Contact Form 7
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-8141?

The Contact Form 7 plugin for WordPress exhibits a security weakness allowing arbitrary file deletion due to inadequate validation of file paths in the delete_associated_files function. This vulnerability affects all versions up to and including 3.2.4, enabling unauthenticated attackers to delete any file on the server. Such actions can lead to severe consequences, including the potential for remote code execution, particularly if sensitive files like wp-config.php are targeted.

Affected Version(s)

Redirection for Contact Form 7 * <= 3.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpcf7-redirect...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jul 24, 2025

Credit

Nguyen Tan Phat