High severity8.8NVD Advisory· Published Aug 20, 2025· Updated Apr 15, 2026

CVE-2025-8145

Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-lead.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/2cb275d5-ec4b-419f-84e1-84172d381411nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000