Extensions For CF7 Plugin Vulnerability - CVE-2025-7645

Happy Monday, everyone!

It's the start of the week, and we already have several WordPress vulnerabilities disclosed today.

I've decided to cover the most severe one, in the Extensions For CF7 (Contact Form 7 Database, Conditional Fields and Redirection) plugin.

It's officially tracked under the ID CVE-2025-7645, and has a CVSS score of 8.1 (High).

About this vulnerability

The issue allows for arbitrary file deletion through the delete-file field.

It affects all versions below the one patched today - 3.2.9.

The vulnerability can be exploited without authentication, meaning any skilled hacker can take advantage of it.

Unauthenticated file deletion is pretty severe, as malicious actors can delete the wp-config.php file on your website, allowing them to overtake it.

What should you do?

Please update the Extensions For CF7 plugin immediately.

You can find the latest patched version in the original WP plugins directory.

Failing to do so promptly leaves your website exposed to severe website, SEO, and reputation damages.

Need help updating, maintaining your site, or remedying damage? Just reach out!