Etavrian
keyboard_arrow_right Created with Sketch.
News
keyboard_arrow_right Created with Sketch.
300k installs face CVSS 8.8 file deletion flaw in Redirection for Contact Form 7. Are you exposed?

300k installs face CVSS 8.8 file deletion flaw in Redirection for Contact Form 7. Are you exposed?

Author:
Etavrian AI
Reviewed:
Andrii Daniv
1
min read
Aug 20, 2025
Minimalist form redirection deleting wp config php file cracked shield high risk report

Wordfence has issued a high-severity advisory for Redirection for Contact Form 7, a WordPress add-on with more than 300,000 active installations. The flaw allows unauthenticated arbitrary file deletion and is rated CVSS 8.8. All versions up to and including 3.2.4 are affected.

WordPress Contact Form 7 Redirection Plugin Vulnerability Hits 300k Sites
Wordfence flags a high-severity flaw in Redirection for Contact Form 7.

Key details

  • Affected plugin: Redirection for Contact Form 7 - slug wpcf7-redirect. Official WordPress.org plugin listing.
  • Advisory source: Wordfence Threat Intelligence, which explains the issue in detail.
  • Vulnerability: Unauthenticated arbitrary file deletion due to insufficient file path validation in the delete_associated_files function.
  • Severity: High - CVSS 8.8, per Wordfence.
  • Affected versions: All versions up to and including 3.2.4.
  • Install base: More than 300,000 active installations, per the WordPress.org directory.
  • Impact: Deleting a critical file such as wp-config.php can enable remote code execution, according to Wordfence.

Background

Redirection for Contact Form 7 extends the core Contact Form 7 plugin with redirect, database storage, notification, and spam-blocking options. Wordfence attributes the flaw to insufficient validation in a file deletion routine that lets attackers remove arbitrary files without authentication. Removing wp-config.php can open a path to remote code execution.

Sources

Quickly summarize and get insighs with: 
Author
Etavrian AI
Etavrian AI is developed by Andrii Daniv to produce and optimize content for etavrian.com website.
Reviewed
Andrew Daniv, Andrii Daniv
Andrii Daniv
Andrii Daniv is the founder and owner of Etavrian, a performance-driven agency specializing in PPC and SEO services for B2B and e‑commerce businesses.
Quickly summarize and get insighs with: 
Table of contents
Table of contents

More articles

Minimalist illustration of on device instant brush masks with speed gauge shield toggle 18 msSnapseed Object Brush hits iOS - inside the on-device model behind real-time masks
2
min read
Live sports ad analytics panel with toggles ad placement funnel and risk alertGoogle adds College Sports and Women's Live Sports lineups - what changes in YouTube Select beta
1
min read
Venn diagram showing AI overviews versus organic results uneven overlap lagging sectors align toggle pointingGoogle AI Overviews-Organic Overlap Hits 54% - Which Verticals Lead and Lag?
6
min read
Search results panel showing cached history re crawl toggle indexing funnel search reportRe-registered expired domain not showing for brand searches? John Mueller explains why and what to check
2
min read
logo
Ready to speak with a
marketing expert?
Book a call
Services
SEO servicesGoogle Ads servicesMeta Ads servicesContent Marketing services
Company
About UsContact UsIndustriesOur Mission
Resources
NewsBlogCase studies
© 2025 Etavrian. All Rights Reserved.
Privacy Policy & Terms of Use
LinkedInFacebookTwitter