CVE-2025-8289: 
WordPress vulnerability analysis and mitigation

The Redirection for Contact Form 7 WordPress plugin (versions up to and including 3.2.4) contains a PHP Object Injection vulnerability identified as CVE-2025-8289. The vulnerability was discovered and disclosed on August 19, 2025, affecting the deleteassociatedfiles function through deserialization of untrusted input. This security issue impacts WordPress installations with the plugin installed, particularly when used in conjunction with the 'Redirection For Contact Form 7 Extension - Create Post' extension (NVD).

The vulnerability exists in the deleteassociatedfiles function of the plugin, allowing unauthenticated attackers to perform PHP Object Injection through deserialization of untrusted input. The issue specifically affects sites with PHP versions lower than 8 and requires a form with a file upload action to be present. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (Wordfence).

The vulnerability's impact depends on the presence of a POP (Property Oriented Programming) chain in additional plugins or themes. When exploited successfully, it could lead to arbitrary file deletion, sensitive data retrieval, or code execution. Given that Contact Form 7 is a requirement for this plugin and contains a usable gadget, affected sites are particularly vulnerable to arbitrary file deletion (NVD).

Site administrators should upgrade to a version newer than 3.2.4 when available. In the absence of an update, it is recommended to disable the plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension until a patch is released. Additionally, upgrading to PHP 8 or higher would prevent exploitation of this vulnerability (NVD).