Redirection for Contact Form 7
by WordPress
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8145 | Hig | 0.57 | 8.8 | 0.02 | Aug 20, 2025 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP… | ||
| CVE-2025-8289 | Hig | 0.49 | 7.5 | 0.01 | Aug 20, 2025 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to… | ||
| CVE-2026-23970 | Hig | 0.46 | 7.1 | — | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions. | ||
| CVE-2021-24278 | 0.03 | — | 0.35 | May 14, 2021 | In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function. | |||
| CVE-2021-36913 | 0.00 | — | 0.00 | Oct 11, 2022 | Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe. | |||
| CVE-2022-0250 | 0.00 | — | 0.03 | Jul 4, 2022 | The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting | |||
| CVE-2021-24279 | 0.00 | — | 0.00 | May 14, 2021 | In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository. | |||
| CVE-2021-24282 | 0.00 | — | 0.00 | May 14, 2021 | In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s… | |||
| CVE-2021-24281 | 0.00 | — | 0.00 | May 14, 2021 | In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site. | |||
| CVE-2021-24280 | 0.00 | — | 0.03 | May 14, 2021 | In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. |
- risk 0.57cvss 8.8epss 0.02
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP…
- risk 0.49cvss 7.5epss 0.01
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to…
- risk 0.46cvss 7.1epss —
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
- CVE-2021-24278May 14, 2021risk 0.03cvss —epss 0.35
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
- CVE-2021-36913Oct 11, 2022risk 0.00cvss —epss 0.00
Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe.
- CVE-2022-0250Jul 4, 2022risk 0.00cvss —epss 0.03
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting
- CVE-2021-24279May 14, 2021risk 0.00cvss —epss 0.00
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
- CVE-2021-24282May 14, 2021risk 0.00cvss —epss 0.00
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s…
- CVE-2021-24281May 14, 2021risk 0.00cvss —epss 0.00
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
- CVE-2021-24280May 14, 2021risk 0.00cvss —epss 0.03
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.