WP-Safety

Redirection for Contact Form 7 Security & Risk Analysis

wordpress.org/plugins/wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K active installs v3.2.9 PHP + WP 5.1+ Updated Feb 10, 2026
cf7-redirectcontact-form-7-mailchimpcontact-form-7-paypalredirect-cf7redirect-to-url
88
A · Safe
CVEs total14
Unpatched0
Last CVEDec 20, 2025
Download
Safety Verdict

Is Redirection for Contact Form 7 Safe to Use in 2026?

Generally Safe

Score 88/100

Redirection for Contact Form 7 has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Dec 20, 2025Updated 1mo ago
Risk Assessment

The wpcf7-redirect plugin v3.2.9 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface and past vulnerability history. A substantial portion of its AJAX handlers (7 out of 7) lack authentication checks, creating a broad entry point for potential attacks. Additionally, the taint analysis reveals two high-severity flows, indicating potential for malicious data to be processed without adequate sanitization.

The plugin's historical vulnerability record is a major red flag. With 14 known CVEs, including a significant number of high and medium severity issues, and a recent vulnerability reported in late 2025, this plugin has a consistent track record of security flaws. The common vulnerability types like 'Deserialization of Untrusted Data,' 'Missing Authorization,' and 'Improper Neutralization of Input During Web Page Generation' are particularly worrying and align with the concerns identified in the static analysis. The presence of the `unserialize` function, without explicit context on its usage, in conjunction with high-severity taint flows and historical deserialization vulnerabilities, is a critical risk.

In conclusion, despite some positive coding practices, the plugin's large number of unprotected AJAX endpoints, critical taint analysis findings, and extensive history of high-severity vulnerabilities suggest a high overall risk. While there are no currently unpatched CVEs, the plugin's past performance and the identified weaknesses in the current version necessitate caution and vigilance.

Key Concerns

  • AJAX handlers without authentication checks
  • High severity taint flows
  • Unsafe unserialize function detected
  • History of high severity CVEs
  • History of medium severity CVEs
  • Deserialization of Untrusted Data vulnerability history
  • Missing Authorization vulnerability history
  • Cross-site Scripting vulnerability history
  • Path Traversal vulnerability history
Vulnerabilities
14

Redirection for Contact Form 7 Security Vulnerabilities

CVEs by Year

5 CVEs in 2021
2021
2 CVEs in 2022
2022
2 CVEs in 2023
2023
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
7
Medium
7

14 total CVEs

CVE-2025-14800high · 8.1Unrestricted Upload of File with Dangerous Type

Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload

Dec 20, 2025 Patched in 3.2.8 (1d)
CVE-2025-9562medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode

Oct 17, 2025 Patched in 3.2.7 (1d)
CVE-2025-8141high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion

Aug 19, 2025 Patched in 3.2.5 (1d)
CVE-2025-8289high · 7.5Deserialization of Untrusted Data

Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization

Aug 19, 2025 Patched in 3.2.5 (1d)
CVE-2025-8145high · 8.8Deserialization of Untrusted Data

Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection

Aug 19, 2025 Patched in 3.2.5 (1d)
CVE-2023-39920medium · 5.3Missing Authorization

Redirection for Contact Form 7 <= 2.9.2 - Missing Authorization

Oct 3, 2023 Patched in 3.0.0 (112d)
CVE-2023-23990high · 7.2Incorrect Privilege Assignment

Redirection for Contact Form 7 <= 2.7.0 - Authenticated(Editor+) Privilege Escalation

Feb 6, 2023 Patched in 2.8.0 (351d)
CVE-2021-36913medium · 5.3Missing Authorization

Redirection for Contact Form 7 <= 2.4.0 - Missing Authorization

Sep 29, 2022 Patched in 2.7.0 (481d)
CVE-2022-0250medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Redirection for Contact Form 7 <= 2.4.0 - Reflected Cross-Site Scripting

Mar 7, 2022 Patched in 2.5.0 (687d)
CVE-2021-24279medium · 6.5Incorrect Authorization

Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Plugin Installation

Apr 20, 2021 Patched in 2.3.4 (1008d)
CVE-2021-24278high · 7.5Incorrect Authorization

Redirection for Contact Form 7 <= 2.3.3 - Unauthenticated Arbitrary Nonce Generation

Apr 20, 2021 Patched in 2.3.4 (1008d)
CVE-2021-24280high · 8.8Deserialization of Untrusted Data

Redirection for Contact Form 7 <= 2.3.3 - Authenticated PHP Object Injection

Apr 20, 2021 Patched in 2.3.4 (1008d)
CVE-2021-24282medium · 6.3Missing Authorization

Redirection for Contact Form 7 <= 2.3.3 - Unprotected AJAX Actions

Apr 20, 2021 Patched in 2.3.4 (1008d)
CVE-2021-24281medium · 4.3Incorrect Authorization

Redirection for Contact Form 7 <= 2.3.3 - Authenticated Arbitrary Post Deletion

Apr 20, 2021 Patched in 2.3.4 (1008d)
Code Analysis
Analyzed Mar 16, 2026

Redirection for Contact Form 7 Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
30
827 escaped
Nonce Checks
3
Capability Checks
13
File Operations
21
External Requests
6
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialize_data = unserialize( $data, array( 'allowed_classes' => false ) ); // phpcs:ignore WordPwpcf7r-functions.php:921

Bundled Libraries

Select2

SQL Query Safety

100% prepared4 total queries

Output Escaping

96% escaped857 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
save (classes\aff\class-ext-accessibe.php:103)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Redirection for Contact Form 7 Attack Surface

Entry Points12
Unprotected7

AJAX Handlers 7

authwp_ajax_close_ad_bannerclasses\class-wpcf7r-base.php:214
authwp_ajax_wpcf7r_delete_actionclasses\class-wpcf7r-base.php:216
authwp_ajax_wpcf7r_duplicate_actionclasses\class-wpcf7r-base.php:218
authwp_ajax_wpcf7r_add_actionclasses\class-wpcf7r-base.php:220
authwp_ajax_wpcf7r_set_action_menu_orderclasses\class-wpcf7r-base.php:222
authwp_ajax_wpcf7r_make_api_testclasses\class-wpcf7r-base.php:224
authwp_ajax_wpcf7r_get_action_templateclasses\class-wpcf7r-base.php:227

REST API Routes 2

GET/wp-json/wpcf7r/v1/exportclasses\class-wpcf7r-leads-manager.php:57
GET/wp-json/wpcf7r/v1/download-fileclasses\class-wpcf7r-save-files.php:28

Shortcodes 3

[get_param] modules\cf7r-shortcode-get-param-field.php:8
[wpcf7r_posted_param] modules\cf7r-shortcode-get-param-field.php:9
[qs_date] wpcf7r-functions.php:556
WordPress Hooks 84
actionplugins_loadedclass-wpcf7-redirect.php:40
filterredirection_for_contact_form_7_about_us_metadataclass-wpcf7-redirect.php:42
actionadmin_menuclass-wpcf7-redirect.php:43
actionadmin_menuclass-wpcf7-redirect.php:44
filterwpcf7_get_extensionsclass-wpcf7-redirect.php:45
filterredirection_for_contact_form_7_float_widget_metadataclass-wpcf7-redirect.php:47
filterwpcf7_redirect_float_widget_metadataclass-wpcf7-redirect.php:48
filterthemeisle_sdk_blackfriday_dataclass-wpcf7-redirect.php:49
actionadmin_noticesclass-wpcf7-redirect.php:208
actioninitclasses\actions\class-wpcf7r-action-erase-data-request.php:12
actioninitclasses\actions\class-wpcf7r-action-firescript.php:10
actioninitclasses\actions\class-wpcf7r-action-honeypot.php:11
actionwp_footerclasses\actions\class-wpcf7r-action-honeypot.php:127
actioninitclasses\actions\class-wpcf7r-action-redirect.php:12
actioninitclasses\actions\class-wpcf7r-action-save-lead.php:10
actioninitclasses\actions\class-wpcf7r-action-sendmail.php:10
filterwpcf7_skip_mailclasses\actions\class-wpcf7r-action-sendmail.php:219
actionadmin_menuclasses\aff\class-ext-accessibe.php:210
actionwp_footerclasses\aff\class-ext-accessibe.php:678
actionwpcf7_before_send_mailclasses\class-wpcf7r-base.php:125
filterwpcf7_validateclasses\class-wpcf7r-base.php:127
filterwpcf7_feedback_responseclasses\class-wpcf7r-base.php:129
actioninitclasses\class-wpcf7r-base.php:130
filterwpcf7_contact_form_propertiesclasses\class-wpcf7r-base.php:135
actionwpcf7_submitclasses\class-wpcf7r-base.php:140
actionwpcf7_after_createclasses\class-wpcf7r-base.php:142
actionbefore_delete_postclasses\class-wpcf7r-base.php:144
actionwpcf7_contact_formclasses\class-wpcf7r-base.php:146
actioninitclasses\class-wpcf7r-base.php:148
actioninitclasses\class-wpcf7r-base.php:150
actionrestrict_manage_postsclasses\class-wpcf7r-base.php:153
filterparse_queryclasses\class-wpcf7r-base.php:154
actionadmin_initclasses\class-wpcf7r-base.php:155
actionrest_api_initclasses\class-wpcf7r-base.php:158
actionplugins_loadedclasses\class-wpcf7r-base.php:212
actionrest_api_initclasses\class-wpcf7r-dashboard.php:129
actiondeleted_postclasses\class-wpcf7r-dashboard.php:206
actioninitclasses\class-wpcf7r-form-helper.php:87
actionplugins_loadedclasses\class-wpcf7r-form-helper.php:88
actionwpcf7_editor_panelsclasses\class-wpcf7r-form-helper.php:89
actionwpcf7_after_saveclasses\class-wpcf7r-form-helper.php:90
actionwp_enqueue_scriptsclasses\class-wpcf7r-form-helper.php:92
actionadmin_enqueue_scriptsclasses\class-wpcf7r-form-helper.php:94
actionbefore_redirect_settings_tab_titleclasses\class-wpcf7r-form-helper.php:95
actionadmin_footerclasses\class-wpcf7r-form.php:151
filtermanage_wpcf7r_leads_posts_columnsclasses\class-wpcf7r-leads-manager.php:47
actionmanage_wpcf7r_leads_posts_custom_columnclasses\class-wpcf7r-leads-manager.php:48
actionpre_get_postsclasses\class-wpcf7r-leads-manager.php:49
actionadmin_enqueue_scriptsclasses\class-wpcf7r-leads-manager.php:50
actionwpcf7_editor_panelsclasses\class-wpcf7r-module.php:51
actionadmin_enqueue_scriptsclasses\class-wpcf7r-module.php:55
actioninitclasses\class-wpcf7r-post-types.php:26
actionadd_meta_boxesclasses\class-wpcf7r-post-types.php:27
actionsave_postclasses\class-wpcf7r-post-types.php:28
actioninitclasses\class-wpcf7r-post-types.php:29
actionadmin_enqueue_scriptsclasses\class-wpcf7r-post-types.php:160
actionrest_api_initclasses\class-wpcf7r-save-files.php:25
actionbefore_delete_postclasses\class-wpcf7r-save-files.php:71
actionadmin_initclasses\class-wpcf7r-settings.php:38
filterplugin_row_metaclasses\class-wpcf7r-settings.php:39
actionwp_headclasses\class-wpcf7r-submission.php:78
actionwp_headclasses\class-wpcf7r-submission.php:86
actionwp_headclasses\class-wpcf7r-submission.php:89
filterwpcf7_skip_mailclasses\class-wpcf7r-submission.php:152
actionthemeisle_internal_pageclasses\class-wpcf7r-survey.php:39
filterpre_set_site_transient_update_pluginsclasses\class-wpcf7r-updates.php:86
filterplugins_apiclasses\class-wpcf7r-updates.php:89
actionshow_user_profileclasses\class-wpcf7r-user.php:29
actionedit_user_profileclasses\class-wpcf7r-user.php:30
actionpersonal_options_updateclasses\class-wpcf7r-user.php:32
actionedit_user_profile_updateclasses\class-wpcf7r-user.php:33
filterafter_qs_cf7_api_send_leadclasses\class-wpcf7r-utils.php:856
actionplugins_loadedlicensing_fs.php:71
actionwpcf7_initmodules\cf7-shortcode-password-field.php:13
filterwpcf7_validate_passwordmodules\cf7-shortcode-password-field.php:115
filterwpcf7_validate_password*modules\cf7-shortcode-password-field.php:116
filterwpcf7_messagesmodules\cf7-shortcode-password-field.php:147
actionwpcf7_admin_initmodules\cf7-shortcode-password-field.php:185
actionadmin_initwpcf7-redirect.php:51
filterthemeisle_sdk_productswpcf7-redirect.php:138
filterthemeisle_sdk_hide_dashboard_widgetwpcf7-redirect.php:146
filterwpcf7_redirect_about_us_metadatawpcf7-redirect.php:218
actioninitwpcf7-redirect.php:231
actionadmin_initwpcf7-redirect.php:239
Maintenance & Trust

Redirection for Contact Form 7 Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 10, 2026
PHP min version
Downloads5.6M

Community Trust

Rating94/100
Number of ratings270
Active installs200K
Alternatives

Redirection for Contact Form 7 Alternatives

Page Redirection For CF7

Page Redirection For CF7

cf7-thank-you-page

A
100

Page Redirection For CF7 helps you to redirect on thank you page after the contact form is submitted successfully.

100 No CVEs
Connect Contact Form 7 and Mailchimp

Connect Contact Form 7 and Mailchimp

contact-form-7-mailchimp-extension

A
96

Connect Contact Form 7 to Mailchimp. Automatically sync form submissions to your Mailchimp audiences with merge field mapping, double opt-in, and opt- &hellip;

50K 3 CVEs
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms

cf7-mailchimp

A
100

Send Contact Form 7, WPforms, Elementor, Ninja Forms, CRM Perks Forms and many other contact form submissions to Mailchimp.

9K 1 CVE
Accept PayPal Payments using Contact Form 7

Accept PayPal Payments using Contact Form 7

contact-form-7-paypal-extension

A
100

Integrate PayPal Submit button in Contact Form 7 to Enjoy Quick Online Payments.

600 No CVEs
wpSUBpages Redirect

wpSUBpages Redirect

redirect-page

A
85

redirect to page does, what the name says and a little bit more. it redirects pages to pages, subpages and external uris.

600 No CVEs
Developer Profile

Redirection for Contact Form 7 Developer Profile

Themeisle

37 plugins · 2.2M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
420 days
View full developer profile
Detection Fingerprints

How We Detect Redirection for Contact Form 7

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpcf7-redirect/assets/js/wpcf7r-pro-redirect.js/wp-content/plugins/wpcf7-redirect/assets/css/wpcf7r-pro-redirect.css
Script Paths
/wp-content/plugins/wpcf7-redirect/assets/js/wpcf7r-pro-redirect.js
Version Parameters
wpcf7-redirect/assets/js/wpcf7r-pro-redirect.js?ver=wpcf7-redirect/assets/css/wpcf7r-pro-redirect.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpcf7r-pro-redirect
Data Attributes
data-wpcf7r-pro-redirect
JS Globals
wpcf7r_pro_redirect_object
FAQ

Frequently Asked Questions about Redirection for Contact Form 7