PLUGIN SECURITY
Is Wpcf7 Redirect safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Wpcf7 Redirect WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
wpcf7-redirect - Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24279, Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Plugin Installation, Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24280, Redirection for Contact Form 7 <= 2.3.3 - Authenticated PHP Object Injection, Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24281, Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Post Deletion, Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24282, Redirection for Contact Form 7 <= 2.3.3 - Unprotected AJAX Actions, Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24278, Redirection for Contact Form 7 <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation, Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation]
+ 20 more known vulnerabilities
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [WordPress Redirection for Contact Form 7 plugin < 2.5.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [WordPress Redirection for Contact Form 7 plugin < 2.5.0 - Sensitive Information Disclosure vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated Arbitrary Plugin Installation vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated PHP Object Injection vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated Arbitrary Post Deletion vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unprotected AJAX Actions vulnerability]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [CVE-2022-0250, Redirection for Contact Form 7 <= 2.4.0 - Reflected Cross-Site Scripting, Redirection for Contact Form 7 < 2.5.0 - Reflected Cross-Site Scripting]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [Unauthorised AJAX Calls via Freemius]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.7.0 [CVE-2021-36913, WordPress Redirection for Contact Form 7 plugin <= 2.4.0 - Unauthenticated Options Change vulnerability, Redirection for Contact Form 7 <= 2.4.0 - Missing Authorization, Redirection for Contact Form 7 < 2.6.0 - Unauthenticated Options Update to Stored XSS]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [Freemius SDK <= 2.4.2 - Missing Authorization Checks]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.8.0 [CVE-2023-23990, WordPress Redirection for Contact Form 7 Plugin <= 2.7.0 is vulnerable to Privilege Escalation, Redirection for Contact Form 7 <= 2.7.0 - Authenticated(Editor+) Privilege Escalation]
- Redirection for Contact Form 7 [wpcf7-redirect] < 2.9.2 [CVE-2023-33999, WordPress Redirection for Contact Form 7 Plugin < 2.9.2 is vulnerable to Cross Site Scripting (XSS), Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.0.0 [CVE-2023-39920, WordPress Redirection for Contact Form 7 Plugin <= 2.9.2 is vulnerable to Broken Access Control, Redirection for Contact Form 7 <= 2.9.2 - Missing Authorization, Redirection for Contact Form 7 < 3.0.0 - Missing Authorization]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8141, WordPress Redirection for Contact Form 7 Plugin <= 3.2.4 is vulnerable to Arbitrary File Deletion, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion, EUVD-2025-28791]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8145, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection, EUVD-2025-28794]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8289, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization, EUVD-2025-28798]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.7 [Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode, EUVD-2025-34977, Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.8 [CVE-2025-14800, Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload, EUVD-2025-204668]
- Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.9 [CVE-2026-23970, Redirection for Contact Form 7 <= 3.2.8 - Unauthenticated Stored Cross-Site Scripting]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Database Addon for Contact Form 7 – CFDB7 — 600000+ active installs — max PHP 8.4
- ReCaptcha v2 for Contact Form 7 — 200000+ active installs — max PHP 8.4
- Conditional Fields for Contact Form 7 — 100000+ active installs — max PHP 8.4
- Contact Form 7 – Dynamic Text Extension — 100000+ active installs
- Contact Form 7 Captcha — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.