All SEO 
SEO News 
SEO Strategy 
Ask An SEO 
Enterprise SEO 
Google Algorithm Updates 
International SEO 
Link Building 
Local SEO 
Mobile SEO 
On-Page SEO 
Technical SEO 
Vertical SEO 
Wordpress for SEO 
Web Dev for SEO 
SaaS SEO 
E-commerce SEO 
AI-Driven SEO 
All Paid Media 
Paid Media News 
Ask a PPC Expert 
PPC 
Programmatic 
Social Media Advertising 
Video Advertising 
All Content 
Content News 
Content Strategy 
Content Creation 
Content Marketing 
Content Trends 
All Social Media 
Social Strategy 
Social Media Advertising 
Facebook 
Instagram 
LinkedIn 
TikTok 
Twitter 
YouTube 
Reddit 
Whatsapp 
Quora 
Pinterest 
All Digital Marketing 
Affiliate Marketing 
Analytics & Data 
Digital Experience 
Generative AI 
Lead Generation 
Shopify WordPress Contact Form 7 Redirection Plugin Vulnerability Affects 300k Sites
A critical flaw within the Contact Form 7 Redirection plugin is affecting more than 300,000 WordPress websites.
A serious security flaw was discovered inside the Redirection for Contact Form 7 plugin for WordPress that affects more than 300,000 websites. The vulnerability enables attackers who are not authenticated to execute malicious code remotely and poses a serious threat to the affected websites.
This vulnerability is graded extremely (8.8/10) according to the CVSS threat severity scale.
Vulnerability Details
This Redirection for Contact Form 7 plugin improves the popularity of Contact Form 7 by enabling site owners to redirect users following the submission of forms. The plugin stores the submitted information in databases, provides emails to notify users, and also blocks spam entries.
While it is a useful tool, however, a security flaw has been discovered within the widely-used add-on that affects the redirection for the Contact Form 7 WordPress plugin, which is installed on over 300,000 websites.
The security gap resides in the plugin’s delete_associated_files function, a snippet of PHP code responsible for deleting files associated with form submissions. Because of the lack of verification of the path to files, this function does not accurately verify inputs from users prior to the deletion of files.
Hackers could exploit this vulnerability by defining malicious file paths for example ../../wp-config.php, permitting them to erase essential configuration files. This vulnerability opens the door to remote execution (RCE), which is a serious attack that enables hackers to execute malicious code on the compromised website remotely and gain access to control.
Wordfence’s Security Advisory
Wordfence, a renowned cybersecurity firm, explains:
“This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).”
The vulnerability affects any version of this plugin, up to and including 3.2.4. Administrators of websites using the plugin affected should upgrade to the latest version of the patched plugin as soon as possible to reduce the risk of security issues.
Final Thoughts
Due to the wide-ranging impact of the Redirection Contact Form 7, this flaw is an enormous threat to the WordPress ecosystem. Rapid patching and constant monitoring are crucial to guard websites from attacks and to ensure that the platform is secure.
