Redirection For Contact Form 7 WordPress Plugin Vulnerability

A new redirection flaw in the Contact Form 7 plugin has been disclosed that can expose WordPress sites to abuse if left unpatched.

A new high-severity vulnerability has been disclosed in Redirection for Contact Form 7, a popular WordPress add-on installed on an estimated 300,000 sites. The flaw carries a severity score of 8.1 and can allow attackers to upload or copy arbitrary files on affected servers in certain configurations.​

What Redirection For Contact Form 7 Does

Redirection for Contact Form 7, developed by Themeisle, extends the core Contact Form 7 plugin with post-submission workflows. Site owners commonly use it to:

• Redirect users to a thank-you or custom landing page after form submission
• Store form entries in a database
• Trigger additional actions such as email notifications or lead-handling logic

Because it often sits in lead-generation and contact flows, the plugin is widely deployed across small business, agency, and marketing sites which is why security issues here warrant prompt attention.​

Unauthenticated File Upload / File Copy Vulnerability

The current issue is particularly concerning because it is unauthenticated: attackers do not need an account or login to attempt exploitation. According to Wordfence and CVE-2025-14800, the flaw stems from missing file-type validation in a function named move_file_to_upload.​

Wordfence explains:

“The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘move_file_to_upload’ function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site’s server. If ‘allow_url_fopen’ is set to ‘On’, it is possible to upload a remote file to the server.”

In simple terms, a remote attacker could potentially:

• Copy files already on the server to other locations
• In some hosting setups, upload remote files if PHP is configured to allow it

That combination turns a simple form add-on into a potential entry point for more serious compromise if left unpatched.

How PHP Configuration Affects Exploitation

One mitigating factor is the PHP setting allow_url_fopen, which controls whether PHP can handle remote resources as files. PHP ships with this turned On by default, but many shared hosting providers disable it to reduce security risk.​

• If allow_url_fopen = Off, attackers may still be able to copy local files, but direct remote file uploads via URL are harder or impossible using this specific pathway.
• If allow_url_fopen = On, the attack surface is broader, since the vulnerable function may accept and move remote files into your environment.​

So while the bug is unauthenticated and serious, real-world exploitability will vary based on how your server and PHP are configured. Still, relying on host defaults isn’t a defence strategy; patching the plugin is the only reliable fix.

Recommended Action: Update To 3.2.8 Or Newer

Security advisories from Wordfence and CVE databases state that all versions up to and including 3.2.7 are affected. The plugin developer has issued a patched release, and users are strongly advised to:​

• Update Redirection for Contact Form 7 to version 3.2.8 or later as soon as possible
• Confirm that there are no unexpected files in upload directories or other writable paths if you suspect prior compromise
• Review your PHP and hosting settings, including allow_url_fopen, as part of routine hardening

Given the plugin’s footprint and the unauthenticated nature of the bug, this should be treated as a priority update in any WordPress security maintenance plan.