CVE-2025-8141 is a critical path traversal vulnerability identified in the 'Redirection for Contact Form 7' WordPress plugin developed by themeisle. This vulnerability exists in all versions up to and including 3.2.4. The root cause lies in the insufficient validation of file paths within the delete_associated_files function. Specifically, the plugin fails to properly restrict pathname inputs, allowing an attacker to traverse directories and specify arbitrary file paths for deletion. Because this flaw can be exploited without any authentication, an unauthenticated attacker can delete arbitrary files on the web server hosting the WordPress site. The impact of this vulnerability is severe: by deleting critical files such as wp-config.php, an attacker can disrupt the availability of the website or potentially trigger remote code execution scenarios, for example, by deleting files that enable security controls or configuration integrity. The CVSS v3.1 base score of 8.8 reflects the high severity, with attack vector being network-based, no privileges required, low attack complexity, but requiring user interaction (e.g., visiting a crafted URL). The vulnerability affects the confidentiality, integrity, and availability of the affected systems, as arbitrary file deletion can lead to data loss, site compromise, and service disruption. Currently, there are no known exploits in the wild, and no official patches have been released as of the publication date (August 20, 2025).

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites with the Contact Form 7 plugin and the vulnerable Redirection add-on. The ability for unauthenticated attackers to delete arbitrary files can lead to website defacement, data breaches, or complete service outages. This can disrupt business operations, damage brand reputation, and potentially lead to regulatory non-compliance under GDPR if personal data is exposed or lost. Organizations in sectors such as e-commerce, government, healthcare, and finance, which often use WordPress for public-facing sites, are particularly vulnerable. The ease of exploitation and the potential for remote code execution elevate the threat to critical infrastructure and services hosted on WordPress platforms. Additionally, the lack of authentication requirement means attackers can exploit this vulnerability at scale, increasing the likelihood of widespread impact across European digital assets.

Immediate mitigation should focus on reducing the attack surface by disabling or removing the 'Redirection for Contact Form 7' plugin until a patch is available. Organizations should audit their WordPress installations to identify if the vulnerable plugin and versions are in use. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns targeting the delete_associated_files function can provide temporary protection. Monitoring web server logs for unusual file deletion requests or 404 errors related to critical files like wp-config.php is recommended. Additionally, enforcing strict file system permissions to limit the WordPress process's ability to delete critical files can reduce impact. Organizations should prepare for rapid patch deployment once an official fix is released by themeisle. Regular backups of WordPress files and databases should be maintained and tested for restoration to minimize downtime in case of exploitation.