Home

Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible

PUBLISHED Reserved 2025-07-24 | Published 2025-08-20 | Updated 2025-08-20 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

*
affected

Timeline

2025-07-05:Discovered
2025-08-19:Disclosed

Credits

Nguyen Tan Phat finder

References

www.wordfence.com/...-ec4b-419f-84e1-84172d381411?source=cve

plugins.trac.wordpress.org/.../classes/class-wpcf7r-lead.php

cve.org (CVE-2025-8145)

nvd.nist.gov (CVE-2025-8145)

Download JSON