Vulnerability Discovered in Redirection for Contact Form 7 WordPress Plugin
A vulnerability in the Redirection for Contact Form 7 WordPress plugin allows unauthenticated attackers to upload or copy files under certain server configurations. Users are advised to update to version 3.2.8 or later.
A security vulnerability has been identified in the Redirection for Contact Form 7 WordPress plugin, an add-on installed on more than 300,000 websites, that could allow attackers to upload or copy malicious files to affected servers under certain conditions.
The plugin, developed by Themeisle, extends the widely used Contact Form 7 plugin by enabling website owners to redirect users after form submissions, store form data in a database, and configure additional post-submission actions.
Unauthenticated Attack Vector
The flaw is considered particularly serious because it can be exploited without authentication. This means an attacker does not need a valid user account or any level of WordPress permissions to attempt exploitation, increasing the potential attack surface on vulnerable sites.
According to a security advisory published by Wordfence, the vulnerability stems from insufficient file type validation within the plugin’s move_file_to_upload function:
“The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘move_file_to_upload’ function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site’s server. If ‘allow_url_fopen’ is set to ‘On’, it is possible to upload a remote file to the server.”
Mitigating Factors
While the vulnerability does not require authentication, successful exploitation depends on the PHP configuration setting allow_url_fopen being enabled. This directive controls whether PHP is allowed to access remote files via URLs.
Although PHP ships with allow_url_fopen enabled by default, many shared hosting providers disable it as a security precaution. As a result, the likelihood of exploitation may be reduced in environments where this setting is turned off, though sites with custom or less restrictive server configurations could remain exposed.
Recommended Action
Themeisle has released a fix addressing the issue. Website owners using the Redirection for Contact Form 7 plugin are strongly advised to update to version 3.2.8 or later to mitigate the risk.
As with similar WordPress vulnerabilities, security experts recommend keeping plugins up to date, limiting unnecessary plugin installations, and reviewing server-level PHP settings to reduce exposure to unauthenticated attacks.
