CVE-2025-7645 is a path traversal vulnerability classified under CWE-22 found in the htplugins Extensions For CF7 plugin for WordPress, which includes Contact form 7 Database, Conditional Fields, and Redirection functionalities. This vulnerability exists due to improper validation of the 'delete-file' parameter, which is used when an administrator deletes a form submission. The plugin fails to properly restrict file paths, allowing an unauthenticated attacker to craft requests that delete arbitrary files on the server. Because the deletion action is triggered during legitimate administrative operations, an attacker can exploit this flaw without authentication by tricking or timing the attack with an admin's deletion action. Critical files such as wp-config.php can be deleted, which may cause denial of service or enable remote code execution if attackers replace or manipulate files. The vulnerability affects all versions up to and including 3.2.8. The CVSS 3.1 base score is 8.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on integrity and availability. No patches or known exploits are currently published, but the risk is significant due to the potential for server compromise. The vulnerability highlights the importance of strict input validation and secure file handling in WordPress plugins, especially those interacting with file systems.

The impact of CVE-2025-7645 is substantial for organizations running WordPress sites with the vulnerable htplugins Extensions For CF7 plugin. Successful exploitation allows unauthenticated attackers to delete arbitrary files on the web server, which can disrupt website functionality, cause data loss, and lead to denial of service. Deletion of critical configuration files like wp-config.php can break the WordPress installation or allow attackers to execute arbitrary code remotely if combined with other vulnerabilities or malicious file uploads. This can result in full server compromise, data breaches, defacement, or persistent backdoors. The vulnerability affects the integrity and availability of the affected systems. Given WordPress's widespread use globally, many organizations, especially those relying on this plugin for form management, are at risk. The requirement for user interaction (administrator deleting a submission) somewhat limits exploitation but does not eliminate risk, as social engineering or timing attacks can facilitate exploitation. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future active exploitation.

To mitigate CVE-2025-7645, organizations should immediately update the htplugins Extensions For CF7 plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict access to the WordPress admin panel to trusted users only and monitor deletion activities closely. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the 'delete-file' parameter. Employ strict input validation and sanitization on all file path inputs within the plugin code if custom modifications are possible. Backup critical files regularly to enable recovery from unauthorized deletions. Limit file system permissions for the web server user to prevent deletion of sensitive files outside designated directories. Additionally, consider disabling or restricting the plugin’s deletion features temporarily if feasible. Educate administrators about the risk of social engineering that could trigger deletion actions. Continuous monitoring and logging of file deletions and administrative actions can help detect exploitation attempts early.