CVE-2025-7645 Overview
CVE-2025-7645 is an arbitrary file deletion vulnerability in the Extensions For CF7 plugin for WordPress, which adds database, conditional fields, and redirection features to Contact Form 7. The flaw exists in the delete-file field due to insufficient file path validation. All plugin versions up to and including 3.2.8 are affected. Unauthenticated attackers can submit a crafted form that causes arbitrary files on the server to be deleted when an administrator later deletes the corresponding submission. Deleting sensitive files such as wp-config.php can lead to remote code execution by triggering WordPress into a setup state attackers can hijack. The vulnerability is tracked under CWE-22 (Path Traversal).
Critical Impact
Unauthenticated attackers can trigger deletion of arbitrary server files, including wp-config.php, enabling site takeover and remote code execution.
Affected Products
- WordPress plugin: Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
- Affected versions: all releases through 3.2.8
- Fixed in: version released via WordPress plugin changeset 3330857
Discovery Timeline
- 2025-07-22 - CVE-2025-7645 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7645
Vulnerability Analysis
The Extensions For CF7 plugin extends Contact Form 7 with submission storage, conditional fields, and redirection logic. When a form submission is recorded, the plugin tracks files associated with that submission through a delete-file field. When an administrator later deletes the submission from the WordPress admin panel, the plugin reads the stored value and removes the referenced file from disk.
The plugin does not validate or constrain the file path supplied by the original form submitter. An unauthenticated attacker can submit a form with a delete-file value pointing to any path on the server reachable by the web server user. The destructive action occurs only when an administrator deletes the submission, which satisfies the user interaction requirement (UI:R) reflected in the CVSS vector.
Deleting wp-config.php forces WordPress back into its initial setup workflow. An attacker who reaches the setup page first can connect the site to an attacker-controlled database and execute arbitrary PHP, achieving remote code execution.
Root Cause
The root cause is missing path validation and sanitization on the delete-file field. The plugin trusts attacker-controlled input as a file path and passes it to a file deletion routine without restricting the operation to an expected uploads directory or verifying the canonical path with checks such as realpath() boundary enforcement.
Attack Vector
The attack is network-reachable, requires no authentication, and depends on later interaction by a privileged administrator. An attacker submits a malicious form referencing a target file path. When any administrator deletes the captured submission as part of routine cleanup, the plugin removes the referenced file with the privileges of the PHP process. This is classic CWE-22 path traversal applied to a file delete sink.
No verified public proof-of-concept is referenced in the available advisories. See the Wordfence Vulnerability Report and the WordPress Plugin Changeset for technical details.
Detection Methods for CVE-2025-7645
Indicators of Compromise
- Missing or recently deleted wp-config.php, .htaccess, or core PHP files on a WordPress host running Extensions For CF7.
- WordPress redirecting to wp-admin/setup-config.php unexpectedly, indicating loss of configuration.
- Contact Form 7 submissions containing suspicious values in fields named delete-file that reference traversal sequences such as ../ or absolute system paths.
- Web server access logs showing form POSTs to Contact Form 7 endpoints followed by administrator-driven deletion requests in wp-admin.
Detection Strategies
- Inspect the plugin's submission storage tables for stored delete-file values containing path separators, traversal sequences, or paths outside the WordPress uploads directory.
- Monitor file integrity for wp-config.php and other root-level WordPress files using checksums or auditd/FIM tooling.
- Alert on WordPress installations that suddenly return the installer page or database connection errors after admin submission deletions.
Monitoring Recommendations
- Enable WordPress audit logging for plugin actions, especially submission deletions performed in the Extensions For CF7 admin views.
- Collect web server and PHP error logs centrally and search for unexpected unlink() failures or permission errors in plugin paths.
- Track plugin inventory and version data across WordPress estates so hosts running Extensions For CF7 <= 3.2.8 are flagged for prioritized patching.
How to Mitigate CVE-2025-7645
Immediate Actions Required
- Update Extensions For CF7 to the patched release tracked by WordPress plugin changeset 3330857 available on the plugin page.
- Avoid deleting captured Contact Form 7 submissions in the WordPress admin until the plugin is updated, since the destructive sink fires on admin deletion.
- Audit existing submissions for malicious delete-file values and purge them at the database layer rather than through the admin UI.
- Verify the integrity of wp-config.php and other root WordPress files, and restore from backup if any are missing.
Patch Information
The vendor released a fix referenced by the WordPress Plugin Changeset 3330857. Administrators should upgrade past version 3.2.8 to the latest available release listed on the official plugin page. Further details are documented in the Wordfence advisory.
Workarounds
- Deactivate the Extensions For CF7 plugin until the patched version can be installed.
- Place a web application firewall rule that blocks Contact Form 7 submissions containing delete-file values with path separators or traversal sequences.
- Restrict file system permissions so the PHP process cannot delete files outside the WordPress wp-content/uploads directory.
- Move wp-config.php one directory above the web root where supported, reducing the impact if traversal is attempted.
# Configuration example: restrict admin actions and protect wp-config.php at the web server layer
# nginx example
location = /wp-config.php { deny all; return 403; }
location ~* /wp-admin/admin\.php { allow 203.0.113.0/24; deny all; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

