A high-severity vulnerability has been identified in the "Redirection for Contact Form 7" WordPress plugin. This flaw allows an unauthenticated attacker to upload malicious files to a website, which could lead to a complete server compromise, data theft, and website defacement. Organizations using this plugin are at significant risk and should take immediate action to mitigate this threat.

The vulnerability is an arbitrary file upload weakness within the move_file_to_upload function of the plugin. The function fails to properly validate the types of files being uploaded through forms managed by the plugin. An unauthenticated attacker can exploit this by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file. Upon successful upload, the attacker can execute the script on the server, gaining unauthorized remote code execution capabilities and full control over the affected website.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could lead to a complete compromise of the web server and its data. Potential consequences include theft of sensitive information (customer data, user credentials), website defacement, deployment of malware or ransomware, and using the compromised server to launch further attacks against other systems. Such an incident can result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action:

• Immediately update the "Redirection for Contact Form 7" plugin to the latest patched version (any version after 3).
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it from the WordPress installation to eliminate the attack surface.

Proactive Monitoring:

• Review web server access logs for unusual POST requests to contact form endpoints, specifically looking for file uploads with suspicious extensions (e.g., .php, .phtml, .phar).
• Scan the WordPress wp-content/uploads/ directory and other server-writable directories for any unauthorized or suspicious files.
• Implement File Integrity Monitoring (FIM) to alert on unexpected file changes or additions within the web application's directory structure.
• Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads based on file type, name, and content.
• If immediate patching is not possible, disable file upload functionality on all public-facing contact forms.
• Harden the web server configuration to prevent the execution of scripts (like PHP) from within the uploads directory. This can be achieved via .htaccess rules on Apache or server block configurations on Nginx.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the critical impact of a successful exploit (remote code execution), we strongly recommend that all organizations using the "Redirection for Contact Form 7" plugin treat this vulnerability with the highest priority. Administrators should immediately identify all instances of this plugin and apply the vendor-supplied patch or remove the plugin entirely. Although not currently listed in the CISA KEV catalog, the ease of exploitation makes it a prime candidate for future inclusion, underscoring the urgency for immediate remediation.