CVE-2025-8145 is a high-severity vulnerability affecting the 'Redirection for Contact Form 7' WordPress plugin developed by themeisle. This vulnerability arises from unsafe deserialization of untrusted data in the get_lead_fields function, which allows unauthenticated attackers to perform PHP Object Injection (CWE-502). The plugin versions up to and including 3.2.4 are affected, with no version exclusions specified, indicating all versions are vulnerable. The exploitation chain involves injecting a crafted PHP object that, due to the presence of a gadget chain (POP chain) in the Contact Form 7 plugin, can lead to arbitrary file deletion on the server. Furthermore, under certain server configurations, this vulnerability escalates to Remote Code Execution (RCE), enabling attackers to execute arbitrary code remotely without authentication. The CVSS v3.1 base score of 8.8 reflects the critical nature of this vulnerability, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits are reported in the wild yet, but the technical details and the severity indicate a significant risk for WordPress sites using this plugin. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, this vulnerability poses a substantial threat, especially for those relying on WordPress websites with the Redirection for Contact Form 7 plugin installed. Exploitation could lead to unauthorized disclosure of sensitive data (confidentiality breach), modification or deletion of critical files (integrity breach), and disruption of website availability through file deletion or remote code execution. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational downtime. Organizations in sectors such as e-commerce, government, healthcare, and finance, which often use WordPress for public-facing sites or customer interaction portals, are particularly at risk. The unauthenticated nature of the attack vector means that attackers can exploit the vulnerability remotely without credentials, increasing the attack surface. The requirement for user interaction (UI:R) suggests that some form of user engagement, such as submitting a crafted form, is necessary, which may be feasible in many web environments. The potential for remote code execution under certain server configurations elevates the risk to critical levels, as attackers could gain full control over affected servers, leading to further lateral movement and persistent compromise.

1. Immediate mitigation should include disabling or removing the 'Redirection for Contact Form 7' plugin until a secure patch is released. 2. Monitor official themeisle and WordPress plugin repositories for updates or patches addressing CVE-2025-8145 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious deserialization payloads and PHP object injection attempts targeting the plugin's endpoints. 4. Restrict file system permissions to limit the ability of the web server process to delete or modify critical files, thereby reducing the impact of arbitrary file deletion. 5. Harden server configurations to prevent remote code execution, such as disabling dangerous PHP functions (e.g., eval, system, exec), enabling PHP open_basedir restrictions, and employing security modules like mod_security. 6. Conduct regular security audits and penetration testing focusing on deserialization vulnerabilities and plugin security. 7. Educate site administrators and users about the risks of interacting with untrusted inputs and the importance of cautious handling of form submissions. 8. Maintain comprehensive backups of website data and configurations to enable rapid recovery in case of compromise.