CVE-2025-7645 is a high-severity path traversal vulnerability (CWE-22) found in the Extensions For CF7 plugin suite for WordPress, which includes Contact form 7 Database, Conditional Fields, and Redirection components. This vulnerability affects all versions up to and including 3.2.8. The core issue arises from insufficient validation of file paths in the 'delete-file' field when an administrator attempts to delete a submission. Due to improper limitation of pathname input, an unauthenticated attacker can craft malicious requests that manipulate the file path to delete arbitrary files on the server. This can lead to critical consequences such as the deletion of key WordPress files like wp-config.php, which stores database credentials and configuration settings. The deletion of such files can cause denial of service or facilitate remote code execution (RCE) by allowing attackers to upload or execute malicious code. The vulnerability is exploitable remotely without authentication, requiring only user interaction (an administrator performing a deletion), which increases the attack surface. The CVSS v3.1 score of 8.1 reflects the high impact on integrity and availability, with network attack vector and low attack complexity. Although no known exploits are reported in the wild yet, the vulnerability's nature and ease of exploitation make it a significant threat to WordPress sites using this plugin. The lack of available patches at the time of publication further exacerbates the risk.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the Extensions For CF7 plugin suite. Exploitation can lead to arbitrary file deletion, potentially causing website downtime, data loss, and exposure to further attacks such as remote code execution. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, particularly under GDPR where data integrity and availability are critical. Organizations in sectors like e-commerce, government, healthcare, and finance, which often use WordPress for public-facing sites or internal portals, are at heightened risk. The ability for unauthenticated attackers to exploit this vulnerability remotely increases the likelihood of automated scanning and exploitation attempts. Additionally, deletion of configuration files can facilitate deeper system compromise, enabling attackers to pivot within networks or exfiltrate sensitive data. The impact extends beyond the affected website to potentially compromise backend systems and connected infrastructure.

Immediate mitigation should focus on restricting access to the vulnerable plugin's functionality. Organizations should: 1) Temporarily disable or uninstall the Extensions For CF7 plugin until a security patch is released. 2) Implement strict web application firewall (WAF) rules to detect and block suspicious requests targeting the 'delete-file' parameter or unusual file path patterns indicative of path traversal. 3) Limit administrative access to trusted personnel and enforce multi-factor authentication to reduce the risk of malicious deletion actions. 4) Monitor server logs for anomalous file deletion attempts and unusual administrator activities. 5) Regularly back up WordPress files and databases to enable rapid restoration in case of file deletion. 6) Once available, promptly apply vendor patches or updates addressing this vulnerability. 7) Conduct a thorough security audit of WordPress installations to identify and remediate any unauthorized changes. These steps go beyond generic advice by focusing on access control, monitoring, and proactive defense tailored to the vulnerability's exploitation vector.