CVE-2025-8145
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-08-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | contact_form_7 | 3.2.4 |
| wordpress | contact_form_7 | 3.2.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Redirection for Contact Form 7 WordPress plugin (up to version 3.2.4) is a PHP Object Injection issue. It occurs due to unsafe deserialization of untrusted input in the get_lead_fields function, allowing unauthenticated attackers to inject malicious PHP objects. This can lead to further exploitation such as arbitrary file deletion and, under certain server configurations, remote code execution.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of arbitrary files on the server and potentially remote code execution, which means attackers could run malicious code remotely. This can lead to data loss, server compromise, and disruption of services.