Redirection for Contact Form 7 PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Redirection for Contact Form 7 WordPress plugin, affecting all versions through 3.2.4. The issue arises from the deserialization of untrusted input in the 'delete_associated_files' function, allowing unauthenticated attackers to inject PHP objects. This vulnerability is exploitable when a form with a file upload action is present on the site, and it does not affect sites running PHP versions greater than 8. Additionally, the 'Redirection For Contact Form 7 Extension - Create Post' extension must be installed and activated for exploitation. While the vulnerable plugin itself does not have a known PHP Object Injection chain, the presence of such a chain through an additional plugin or theme could enable an attacker to delete arbitrary files, access sensitive data, or execute code, depending on the specific chain available. Notably, a usable gadget in the Contact Form 7 plugin could facilitate arbitrary file deletion when this vulnerability is exploited.

Impact

Exploitation of this vulnerability could lead to PHP Object Injection, with the potential for arbitrary file deletion, if a suitable PHP Object Injection chain is available through another plugin or theme.

Remediation

Users are advised to update the Redirection for Contact Form 7 plugin to version 3.2.5 or a newer patched version.