CVE-2025-7645
Published: 22 July 2025
Summary
CVE-2025-7645 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Extensions For CF7 plugin for WordPress, which extends Contact Form 7 with database, conditional fields, and redirection features, is affected by CVE-2025-7645 in all versions through 3.2.8. The vulnerability is an arbitrary file deletion flaw (CWE-22) caused by missing validation of the delete-file field, rated 8.1 under CVSS 3.1.
Unauthenticated attackers can supply crafted file paths in form submissions; when an administrator later deletes the entry, the plugin removes arbitrary server files. Deletion of files such as wp-config.php can directly enable remote code execution.
The referenced WordPress Trac changeset and Wordfence advisory indicate that a fix has been published, and site operators should update the plugin through the official directory to the patched release.
EPSS remains flat at 0.0147 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22296
Vulnerability details
The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This…
more
makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing WP plugin enables unauthenticated exploitation (T1190) resulting in arbitrary file deletion on trigger (T1070.004); potential RCE is indirect/not guaranteed.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-7645 by identifying, reporting, and patching the arbitrary file deletion flaw in the Extensions For CF7 plugin as documented in advisories.
Enforces information input validation at form entry points to block malicious file paths exploiting the insufficient path validation in the 'delete-file' field.
Monitors the system for unauthorized file deletions triggered by tainted form submissions, identifying exploitation in progress.