CVE-2025-8145: CWE-502 Deserialization of Untrusted Data in themeisle Redirection for Contact Form 7
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
CVE-2025-8145: CWE-502 Deserialization of Untrusted Data in themeisle Redirection for Contact Form 7
Description
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-24T19:08:42.997Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68a533d0ad5a09ad00ff4066
Added to database: 8/20/2025, 2:32:48 AM
Last updated: 8/20/2025, 2:32:48 AM
Views: 1
Related Threats
CVE-2025-8289: CWE-502 Deserialization of Untrusted Data in themeisle Redirection for Contact Form 7
HighCVE-2025-8141: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in themeisle Redirection for Contact Form 7
HighCVE-2025-9132: Out of bounds write in Google Chrome
UnknownCVE-2025-9193: Open Redirect in TOTVS Portal Meu RH
MediumCVE-2025-9176: OS Command Injection in neurobin shc
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.