PHP Object Injection Vulnerability in Redirection for Contact Form 7 Plugin by WordPress
CVE-2025-8289

7.5HIGH

Key Information:

Vendor: WordPress
Status: Redirection For Contact Form 7
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-8289?

The Redirection for Contact Form 7 plugin for WordPress contains a PHP Object Injection vulnerability that arises from the deserialization of untrusted input in the delete_associated_files function. This issue affects all versions up to and including 3.2.4 and is particularly dangerous when a form with a file upload action is active on the site. An attacker can exploit this vulnerability if the necessary 'Redirection For Contact Form 7 Extension - Create Post' extension is installed and activated. Notably, it does not pose a threat to sites running PHP version greater than 8. While there is no predefined payload object (POP) chain within the vulnerable software, the risk escalates when additional plugins or themes that contain a POP chain are present. Such configurations can allow an attacker to execute arbitrary file deletions, access sensitive data, or run malicious code. Since Contact Form 7 is a requirement for this plugin, any site leveraging both the plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension remains vulnerable to these potential exploits.

Affected Version(s)

Redirection for Contact Form 7 * <= 3.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpcf7-redirect...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jul 28, 2025

Credit

Nguyen Tan Phat