Introduction
Deleting the wrong file on a WordPress server can instantly take down a site or open the door to remote code execution. The Extensions For CF7 plugin, used to supercharge Contact Form 7 forms, recently introduced a critical risk for any site running versions up to and including 3.2.8: unauthenticated arbitrary file deletion triggered by a single admin click.
About the involved software: Extensions For CF7 is developed by htplugins and extends Contact Form 7, which itself is one of the most widely used WordPress form plugins with millions of active installations. The plugin adds database, conditional logic, and redirection features to CF7, making it popular among site owners who need advanced form workflows. Its user base, while smaller than core CF7, is significant and includes thousands of production WordPress sites. A flaw in this plugin can have ripple effects across a large portion of the WordPress ecosystem.
Technical Information
The vulnerability exists in all versions of Extensions For CF7 up to and including 3.2.8. The root cause is insufficient validation and sanitization of the file path provided in the delete-file
field. When an administrator deletes a form submission, the plugin processes this field and attempts to delete the specified file from the server. There is no check to ensure the path is safe or confined to intended directories.
An attacker can submit a form with a payload like:
../../../wp-config.php
When an administrator later deletes this submission from the backend, the plugin processes the malicious path and deletes the targeted file. This can be used to remove critical files such as wp-config.php
, .htaccess
, or any other file the web server process can access. The attack does not require authentication and leverages the legitimate admin workflow, making it difficult to detect in logs as the deletion is performed by an authorized user action.
Attack flow:
- Attacker submits a form with a malicious
delete-file
value (e.g.,../../../wp-config.php
). - Administrator reviews and deletes the submission from the WordPress dashboard.
- The plugin processes the unvalidated path and deletes the specified file.
This can result in immediate site outage, loss of configuration, or even remote code execution if attackers can control the environment after deleting security-critical files.
Patch Information
To address the Server-Side Request Forgery (SSRF) vulnerability identified in versions up to and including 3.2.0 of the Extensions For CF7 plugin, the developers released version 3.2.1, which includes a crucial security patch. This update introduces stringent validation and sanitization of user inputs, effectively mitigating the risk of unauthorized server requests.
The core of the patch involves implementing a whitelist of permissible URLs and protocols, ensuring that only safe and intended requests are processed by the plugin. By restricting the range of acceptable inputs, the update prevents potential attackers from exploiting the SSRF vulnerability to make arbitrary requests to internal or external servers.
For users and administrators, it is imperative to update the Extensions For CF7 plugin to version 3.2.1 or later to benefit from this security enhancement. Regularly updating plugins and themes is a fundamental practice in maintaining the security and integrity of WordPress sites.
Patch source:
Affected Systems and Versions
- Product: Extensions For CF7 (Contact Form 7 Database, Conditional Fields and Redirection)
- Affected versions: All versions up to and including 3.2.8
- Vulnerable configurations: Any WordPress site with the vulnerable plugin version installed and active
Vendor Security History
htplugins, the vendor behind Extensions For CF7, has a history of security issues in their products. Previous vulnerabilities include XSS and CSRF flaws in earlier releases. For CVE-2025-7645, the vendor responded with a patch within 48 hours of public disclosure, which is an improvement over some previous incidents. However, the recurring nature of security issues suggests a need for more rigorous code review and security testing in their development process.
References
- CVE-2025-7645 Official Entry (MITRE)
- VulDB Advisory
- Wordfence Patch Advisory
- WordPress Plugin Page
- Wordfence Vulnerability Database
- Stefan Ristic Blog Analysis
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]