WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Wpcf7 Redirect safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Wpcf7 Redirect WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: wpcf7-redirect
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24279, Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Plugin Installation, Redirection for Contact Form 7 &lt; 2.3.4 - Authenticated Arbitrary Plugin Installation]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24280, Redirection for Contact Form 7 <= 2.3.3 - Authenticated PHP Object Injection, Redirection for Contact Form 7 &lt; 2.3.4 - Authenticated PHP Object Injection]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24281, Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Post Deletion, Redirection for Contact Form 7 &lt; 2.3.4 - Authenticated Arbitrary Post Deletion]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24282, Redirection for Contact Form 7 <= 2.3.3 - Unprotected AJAX Actions, Redirection for Contact Form 7 &lt; 2.3.4 - Unprotected AJAX Actions]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [CVE-2021-24278, Redirection for Contact Form 7 <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation, Redirection for Contact Form 7 &lt; 2.3.4 - Unauthenticated Arbitrary Nonce Generation]
+ 20 more known vulnerabilities
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [WordPress Redirection for Contact Form 7 plugin < 2.5.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [WordPress Redirection for Contact Form 7 plugin < 2.5.0 - Sensitive Information Disclosure vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated Arbitrary Plugin Installation vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated PHP Object Injection vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Authenticated Arbitrary Post Deletion vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.3.4 [WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unprotected AJAX Actions vulnerability]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [CVE-2022-0250, Redirection for Contact Form 7 <= 2.4.0 - Reflected Cross-Site Scripting, Redirection for Contact Form 7 &lt; 2.5.0 - Reflected Cross-Site Scripting]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [Unauthorised AJAX Calls via Freemius]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.7.0 [CVE-2021-36913, WordPress Redirection for Contact Form 7 plugin <= 2.4.0 - Unauthenticated Options Change vulnerability, Redirection for Contact Form 7 <= 2.4.0 - Missing Authorization, Redirection for Contact Form 7 &lt; 2.6.0 - Unauthenticated Options Update to Stored XSS]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.5.0 [Freemius SDK <= 2.4.2 - Missing Authorization Checks]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.8.0 [CVE-2023-23990, WordPress Redirection for Contact Form 7 Plugin <= 2.7.0 is vulnerable to Privilege Escalation, Redirection for Contact Form 7 <= 2.7.0 - Authenticated(Editor+) Privilege Escalation]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 2.9.2 [CVE-2023-33999, WordPress Redirection for Contact Form 7 Plugin < 2.9.2 is vulnerable to Cross Site Scripting (XSS), Freemius SDK &lt; 2.5.10 - Reflected Cross-Site Scripting]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.0.0 [CVE-2023-39920, WordPress Redirection for Contact Form 7 Plugin <= 2.9.2 is vulnerable to Broken Access Control, Redirection for Contact Form 7 <= 2.9.2 - Missing Authorization, Redirection for Contact Form 7 &lt; 3.0.0 - Missing Authorization]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8141, WordPress Redirection for Contact Form 7 Plugin <= 3.2.4 is vulnerable to Arbitrary File Deletion, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion, EUVD-2025-28791]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8145, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection, EUVD-2025-28794]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.5 [CVE-2025-8289, Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization, EUVD-2025-28798]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.7 [Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode, EUVD-2025-34977, Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.8 [CVE-2025-14800, Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload, EUVD-2025-204668]
  • Redirection for Contact Form 7 [wpcf7-redirect] < 3.2.9 [CVE-2026-23970, Redirection for Contact Form 7 <= 3.2.8 - Unauthenticated Stored Cross-Site Scripting]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.