If your WordPress site uses the Redirection for Contact Form 7 plugin, check your version number right now. A vulnerability rated 8.1 in severity has been found in the plugin, affecting all versions up to and including 3.2.7, and it's installed on over 300,000 websites.
Key Takeaways
- The Redirection for Contact Form 7 plugin by Themeisle has a vulnerability rated 8.1 out of 10 in severity.
- It affects all versions up to and including 3.2.7, across more than 300,000 installations.
- Attackers don't need to log in to exploit it, making it easier to abuse.
- The flaw allows malicious file uploads and copying of files from your server.
- Update to version 3.2.8 or newer immediately to close the gap.
What Is the Redirection for Contact Form 7 Plugin?
Built by Themeisle, Redirection for Contact Form 7 is an add-on to the hugely popular Contact Form 7 plugin. It lets you redirect visitors to any page after they submit a form, store submission data in a database, and carry out a handful of other useful functions. It's a common choice for small business sites that want a bit more control over what happens after someone fills in a form.
What Does the Vulnerability Actually Do?
According to Wordfence, the flaw sits in a function called move_file_to_upload. The plugin fails to validate file types properly, which means an attacker can upload arbitrary files to your server or copy files that are already on it. In plain terms, they could plant malicious code on your site or grab files they shouldn't have access to.
What makes this particularly alarming is that it's an unauthenticated vulnerability. The attacker doesn't need a login, a subscriber account, or any level of access to your site at all. They can attempt to exploit it from the outside, anonymously.
Is There Anything That Limits the Risk?
Yes, one thing. The file upload part of the flaw only works if a PHP setting called allow_url_fopen is turned on. This setting controls whether PHP can open remote files. PHP ships with it set to "On" by default, but the majority of shared hosting providers routinely switch it to "Off" specifically to prevent this kind of attack.
So if your site is on a typical shared host, the chances of a successful exploit are lower. That said, lower risk is not zero risk, and the ability to copy files from your server remains regardless of that setting. Updating is still the right move.
What Should You Do?
Update the plugin to version 3.2.8 or newer straight away. You can do this from your WordPress dashboard under Plugins > Installed Plugins. Find Redirection for Contact Form 7, check the version, and hit update if it's showing 3.2.7 or below.
If you're not sure how to check or you'd rather not risk touching it yourself, this is exactly the kind of thing our website maintenance service covers. We monitor plugins for known vulnerabilities and keep your site patched so you don't have to think about it.
Why Plugin Vulnerabilities Like This Keep Happening
Missing file type validation is one of the most common causes of WordPress plugin security flaws. A function accepts a file, but nobody checked whether that file is actually a safe type before letting it through. It's a relatively straightforward oversight, but the consequences can be severe: a successful exploit can give an attacker a foothold on your server.
Keeping plugins updated is the single most effective thing a WordPress site owner can do to reduce this kind of exposure. Old, unpatched plugins are one of the leading causes of WordPress site compromises. If you're running a business site on WordPress, it's worth having a proper WordPress maintenance process in place rather than relying on remembering to check manually.
What to Do Right Now
- Log into your WordPress dashboard.
- Go to Plugins > Installed Plugins.
- Search for "Redirection for Contact Form 7".
- If the version shown is 3.2.7 or earlier, click Update Now.
- Confirm it's now running version 3.2.8 or newer.
If you can't see the plugin listed but you're not sure whether it's installed elsewhere in your setup, ask your developer or host to check the server directly.
Worried about what else might be out of date on your site? We run regular security audits and handle plugin updates as part of our ongoing website maintenance plans. Get in touch and we'll take a look.
Frequently asked questions
Which versions of the Redirection for Contact Form 7 plugin are affected?
All versions up to and including 3.2.7 are vulnerable. You should update to version 3.2.8 or newer to fix the issue.
Do attackers need to log in to exploit this vulnerability?
No. This is an unauthenticated vulnerability, meaning an attacker needs no login or user account on your site to attempt an exploit.
My site is on shared hosting. Am I still at risk?
The remote file upload part of the flaw requires the PHP setting 'allow_url_fopen' to be turned on. Most shared hosts set this to 'Off', which reduces but does not eliminate the risk. The ability to copy existing files on your server is still present, so updating the plugin is essential regardless.
How do I update the plugin?
Log into your WordPress dashboard, go to Plugins > Installed Plugins, find Redirection for Contact Form 7, and click Update Now if it's running version 3.2.7 or below. Confirm it updates to 3.2.8 or newer.
Related services
Need a hand with this? Here's how IceBoxDesigns can help.