CVE-2025-8145 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the Redirection for Contact Form 7 plugin for WordPress, developed by themeisle. The vulnerability exists in all versions up to and including 3.2.4, specifically within the get_lead_fields function, which improperly deserializes untrusted input. This flaw enables unauthenticated attackers to perform PHP Object Injection, a technique that allows them to inject crafted PHP objects into the application’s memory space. The presence of a Property Oriented Programming (POP) chain in the Contact Form 7 plugin further exacerbates the risk by enabling attackers to delete arbitrary files on the server. Moreover, in certain server environments, this vulnerability can escalate to remote code execution (RCE), allowing full system compromise. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges required). The vulnerability does require some user interaction, likely through crafted form submissions. Although no public exploits have been observed yet, the combination of unauthenticated access and potential for RCE makes this a critical threat for WordPress sites using this plugin. The lack of available patches at the time of reporting increases the urgency for mitigation.

The impact of CVE-2025-8145 is significant for organizations relying on WordPress sites with the Redirection for Contact Form 7 plugin installed. Successful exploitation can lead to unauthorized disclosure of sensitive data, deletion of critical files, and complete server takeover through remote code execution. This compromises the confidentiality, integrity, and availability of affected systems, potentially leading to data breaches, website defacement, service outages, and lateral movement within internal networks. E-commerce, government, healthcare, and financial sectors that rely heavily on WordPress for customer interaction and data collection are particularly vulnerable. The unauthenticated nature of the attack lowers the barrier for threat actors, increasing the likelihood of exploitation. Additionally, the potential for RCE can facilitate deployment of ransomware, backdoors, or other malware, amplifying the operational and reputational damage to organizations worldwide.

1. Immediately monitor for updates or patches from themeisle and apply them as soon as they become available. 2. Until patches are released, disable or remove the Redirection for Contact Form 7 plugin if feasible, especially on high-risk or public-facing sites. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious serialized payloads targeting the get_lead_fields function. 4. Harden PHP configurations by disabling dangerous functions (e.g., unserialize on untrusted data) and restricting file system permissions to limit file deletion capabilities. 5. Employ input validation and sanitization at the application level to prevent malicious serialized data from being processed. 6. Conduct regular security audits and penetration testing focusing on deserialization vulnerabilities. 7. Monitor server logs for unusual activity indicative of exploitation attempts, such as unexpected file deletions or code execution traces. 8. Isolate WordPress instances in segmented network zones to limit lateral movement in case of compromise. 9. Educate site administrators about the risks of installing untrusted plugins and the importance of timely updates.