Arbitrary file upload / file copy in Redirection for Contact Form 7 (WordPress) <= 3.2.7
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the plugin’s move_file_to_upload function in all versions up to and including 3.2.7. This allows unauthenticated attackers to copy arbitrary files onto the affected server. If PHP allow_url_fopen is enabled, an attacker can supply a remote URL as the source and cause the server to fetch and store a remote file, effectively enabling remote file upload.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
allow_url_fopen=On because remote content can be fetched and written to disk.Mitigation
If you can’t patch tonight, do this now.
move_file_to_upload; set PHP allow_url_fopen=Off to reduce the ability to fetch remote files; and enforce server-side controls on upload directories (e.g., prevent script execution in upload paths via web server configuration) to reduce the likelihood of code execution from placed files.Remediation
Patch, then assume compromise.
move_file_to_upload. Ensure the fix includes robust allowlist-based validation of file types/extensions and safe handling of file paths/sources for any upload/move functionality.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.