According to Roger Montti’s article, “Redirection For Contact Form 7 WordPress Plugin Vulnerability,” published on Search Engine Journal, a high-severity WordPress security flaw has been discovered in the Redirection for Contact Form 7 plugin, affecting up to 300,000 active installations.
The vulnerability carries a CVSS severity score of 8.1 and allows unauthenticated attackers to upload or copy arbitrary files on a vulnerable server. Because no login or user privileges are required, the flaw significantly lowers the barrier for exploitation.
The affected plugin, developed by Themeisle, is a popular add-on for Contact Form 7 that enables post-submission redirects, form data storage, and other enhanced functionality. The issue exists in all versions up to and including 3.2.7.
According to Wordfence, the vulnerability is caused by missing file type validation in the plugin’s move_file_to_upload function. This flaw enables attackers to copy arbitrary files from the server. If the PHP configuration setting allow_url_fopen is enabled, attackers may also upload remote files directly to the server.
Although this is an unauthenticated vulnerability, its exploitation is partially mitigated by the hosting configurations. Although PHP ships with allow_url_fopen set to “On” by default, most shared hosting providers disable it to reduce security risks. This lowers the likelihood of widespread exploitation but does not eliminate the threat, particularly on custom or misconfigured servers.
Users of the Redirection for Contact Form 7 plugin are strongly advised to update to version 3.2.8 or newer, which fully patches the vulnerability. Prompt updates and secure server configurations remain critical to protecting WordPress sites from file-based attacks.