CVE-2025-14800
Arbitrary File Upload in Contact Form 7 Plugin Allows Remote Code Execution
Publication date: 2025-12-21
Last updated on: 2025-12-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wpcf7-redirect | 3.2.8 |
| wordpress | wpcf7-redirect | 3.2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Redirection for Contact Form 7 WordPress plugin (up to version 3.2.7) allows unauthenticated attackers to upload arbitrary files to the server because the plugin's 'move_file_to_upload' function lacks proper file type validation. This means attackers can potentially upload malicious files, including remote files if 'allow_url_fopen' is enabled, leading to unauthorized file copying on the server. The issue was fixed in version 3.2.8 by adding strict file type validation, rejecting unrecognized MIME types and remote file paths, and securing upload directories against unauthorized access. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to upload and execute malicious files on your server, potentially leading to full site compromise. It can result in unauthorized access, data theft, defacement, or use of your server for malicious purposes. If 'allow_url_fopen' is enabled, attackers can upload remote files, increasing the risk. The vulnerability also risks exposing sensitive files due to lack of directory protection, which was addressed in the update by securing upload directories and validating file types. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check if the installed version of the 'Redirection for Contact Form 7' plugin is version 3.2.7 or earlier, as these versions lack proper file type validation. Additionally, you can look for suspicious file uploads in the plugin's upload directories, especially files with unusual extensions or remote file URLs. Commands to help detect this might include: 1. Checking plugin version via WP-CLI: `wp plugin list --status=active | grep wpcf7-redirect` 2. Searching for suspicious files in the uploads directory (adjust path as needed): `find wp-content/uploads/wpcf7r_uploads/ -type f` 3. Checking web server logs for unusual POST requests to the plugin's upload endpoints. 4. Using grep to find calls to the vulnerable function or suspicious file uploads in logs: `grep -r 'move_file_to_upload' /path/to/wordpress/wp-content/plugins/wpcf7-redirect/` These steps can help identify if the vulnerable plugin version is present and if suspicious file uploads have occurred. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the 'Redirection for Contact Form 7' plugin to version 3.2.8 or later, which includes enhanced security measures such as strict file type validation in the 'move_file_to_upload' function and initialization of index files in upload directories to prevent unauthorized access. Additionally, ensure that the upload directories are secured with proper .htaccess rules or equivalent to prevent direct access. If updating immediately is not possible, consider disabling the plugin temporarily or restricting access to the upload endpoints. Also, verify that the PHP setting 'allow_url_fopen' is set to 'Off' to prevent remote file uploads. [1]