A serious security flaw has been discovered in the popular Redirection for Contact Form 7 plugin, which is used on more than 300,000 WordPress websites.
The vulnerability, rated 8.8 out of 10 in severity (CVSS score), exists in the plugin’s delete_associated_files function. Due to weak file path validation, attackers can exploit this flaw to delete any file on a website without needing to log in. This could include critical files like wp-config.php, which may lead to site crashes or even remote code execution.
The plugin extends the widely used Contact Form 7 by adding features like redirections, email notifications, and spam protection. However, this flaw puts thousands of sites at risk of being compromised if left unpatched.
The Wordfence advisory explains:
“This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).”
Website owners are strongly advised to update or disable the plugin immediately, review key files for tampering, and ensure proper backups and security measures are in place. Until a patched version is released, disabling the plugin is the safest option.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
