CVE-2025-8141 is a path traversal vulnerability classified under CWE-22 found in the Redirection for Contact Form 7 plugin for WordPress, developed by themeisle. The vulnerability exists in the delete_associated_files function, which fails to properly validate and restrict file paths before deleting files. This flaw allows unauthenticated attackers to craft requests that specify arbitrary file paths outside the intended directory, resulting in deletion of any file accessible by the web server process. Since the plugin is widely used to manage redirections for Contact Form 7, a popular WordPress plugin, this vulnerability affects all versions up to and including 3.2.4. The CVSS v3.1 score is 8.8 (high), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact on confidentiality, integrity, and availability is high because deleting critical files such as wp-config.php can lead to site downtime, data loss, and remote code execution if attackers manipulate the environment post-deletion. Although no exploits are currently known in the wild, the vulnerability is straightforward to exploit given the lack of authentication and weak path validation. The vulnerability was reserved on July 24, 2025, and published on August 20, 2025. No official patches or updates are listed yet, so mitigation requires immediate attention from site administrators.

The vulnerability allows unauthenticated attackers to delete arbitrary files on the web server hosting the WordPress site. This can lead to severe consequences including denial of service by deleting critical configuration files, loss of data, and potentially remote code execution if attackers delete files that trigger fallback or recovery mechanisms. The integrity of the website and its data is compromised, and availability is disrupted. Organizations relying on this plugin face risks of website defacement, downtime, and potential lateral movement within their infrastructure if attackers gain further access. The broad usage of Contact Form 7 and its redirection plugin means a large number of WordPress sites globally are at risk. The ease of exploitation and high impact make this a critical threat to website security and business continuity.

Until an official patch is released, organizations should immediately disable or uninstall the Redirection for Contact Form 7 plugin to prevent exploitation. Restrict web server file permissions to limit the plugin’s ability to delete sensitive files outside its directory. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal patterns targeting the delete_associated_files function. Monitor web server logs for unusual deletion requests or errors related to file access. Consider isolating WordPress instances in containers or sandboxes to limit damage scope. Once a patch is available, apply it promptly and verify the plugin version is updated beyond 3.2.4. Additionally, maintain regular backups of critical files like wp-config.php to enable rapid recovery. Educate site administrators about the risks of unauthenticated file deletion vulnerabilities and enforce least privilege principles for all plugins.