CVE-2025-8141
Published: 20 August 2025
Summary
CVE-2025-8141 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8141, published on 2025-08-20, is a vulnerability in the Redirection for Contact Form 7 plugin for WordPress, affecting all versions up to and including 3.2.4. It stems from insufficient file path validation in the delete_associated_files function, enabling arbitrary file deletion on the server. The issue is classified under CWE-22 (path traversal) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. By manipulating file paths, they can delete arbitrary files, which can lead to remote code execution if critical files like wp-config.php are targeted, granting severe impacts on confidentiality, integrity, and availability.
Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/fafd0159-25ab-430d-88ef-c4d09d23baa7?source=cve. The vulnerable code location is documented in the plugin's source at https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.3/classes/class-wpcf7r-save-files.php#L80.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28791
Vulnerability details
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers…
more
to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct path traversal in public WordPress plugin enables remote exploitation of web app (T1190) and arbitrary file deletion (T1070.004) leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the insufficient file path validation in the delete_associated_files function by requiring validation of path inputs to block path traversal exploits.
Remediates the specific path traversal flaw in Redirection for Contact Form 7 plugin versions up to 3.2.4 through timely flaw correction and patching.
Limits impact of arbitrary file deletion by enforcing least privilege on the web server process, preventing deletion of critical files like wp-config.php.