Primary

Context

Redirection for Contact Form 7 WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

Patched

A vulnerability exists in the Redirection for Contact Form 7 WordPress plugin, specifically in versions through 3.2.7. The issue arises from inadequate file type validation in the 'move_file_to_upload' function, allowing unauthenticated users to upload arbitrary files to the server. If 'allow_url_fopen' is enabled, remote files can also be uploaded.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for the execution of malicious files on the server.

Remediation

Users are advised to update the Redirection for Contact Form 7 plugin to version 3.2.8 or later.

Added: Dec 21, 2025, 8:21 AM

Updated: Dec 21, 2025, 8:21 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

7.1

remediation

7.7

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

7.1

remediation

7.7

relevance

1.6

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Redirection for Contact Form 7 WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Codeinwp Redirection for Contact Form 7

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating