Plugin icon

Redirection for Contact Form 7

wpcf7-redirect

Vulnerabilities:

15

Last Updated:

December 19, 2025

Active Installs:

300000

Published
Title
Fixed in
CVSS
Published
2025-12-20
Title
Redirection for Contact Form 7 < 3.2.8 - Unauthenticated Arbitrary File Copy
Fixed in
Fixed in 3.2.8
CVSS
8.1 (high)
Published
2025-10-17
Title
Redirection for Contact Form 7 < 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode
Fixed in
Fixed in 3.2.7
CVSS
6.4 (medium)
Published
2025-08-19
Title
Redirection for Contact Form 7 < 3.2.5 - Unauthenticated PHP Object Injection via PHAR Deserialization
Fixed in
Fixed in 3.2.5
CVSS
7.5 (high)
Published
2025-08-19
Title
Redirection for Contact Form 7 < 3.2.5 - Unauthenticated Arbitrary File Deletion
Fixed in
Fixed in 3.2.5
CVSS
8.1 (high)
Published
2025-08-19
Title
Redirection for Contact Form 7 < 3.2.5 - Unauthenticated PHP Object Injection
Fixed in
Fixed in 3.2.5
CVSS
8.8 (high)
Published
2023-10-03
Title
Redirection for Contact Form 7 < 3.0.0 - Missing Authorization
Fixed in
Fixed in 3.0.0
CVSS
5.3 (medium)
Published
2023-07-18
Title
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Fixed in
Fixed in 2.9.0
CVSS
6.1 (medium)
Published
2022-09-29
Title
Redirection for Contact Form 7 < 2.6.0 - Unauthenticated Options Update to Stored XSS
Fixed in
Fixed in 2.6.0
CVSS
7.5 (high)
Published
2022-03-07
Title
Redirection for Contact Form 7 < 2.5.0 - Reflected Cross-Site Scripting
Fixed in
Fixed in 2.5.0
CVSS
6.1 (medium)
Published
2022-02-28
Title
Unauthorised AJAX Calls via Freemius
Fixed in
Fixed in 2.5.0
CVSS
4.3 (medium)
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Fixed in
Fixed in 2.3.4
CVSS
4.2 (medium)
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
Fixed in
Fixed in 2.3.4
CVSS
5.3 (medium)
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
Fixed in
Fixed in 2.3.4
CVSS
7.5 (high)
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Fixed in
Fixed in 2.3.4
CVSS
5.0 (medium)
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Fixed in
Fixed in 2.3.4
CVSS
5.4 (medium)