A serious security problem has been found in the Redirection for Contact Form 7 plugin, which many WordPress users add to their sites to handle forms better. This plugin works with the popular Contact Form 7 tool, letting you redirect visitors to a thank-you page or another spot after they submit a form.

On August 19, 2025, experts at Wordfence shared details about this issue, which could let bad actors delete important files on your website without logging in. This might lead to hackers taking over your site. It affects versions up to 3.2.4 and over 300,000 sites worldwide. The good news? A fix is out in version 3.2.5 – update now to stay safe!

What Exactly is This Security Issue?

Think of it like this: The plugin has a part that deletes old files, but it doesn’t check carefully what it’s deleting. This means anyone – even without a password – could trick it into removing key files on your site, like the one that holds your login info (called wp-config.php). If that happens, hackers could sneak in and run bad code, basically taking control of your website.

It affects all versions of the plugin up to 3.2.4. Security folks at Wordfence say this could make it easy for attackers to mess with your site. But don’t worry – updating fixes this hole.

Why This Matters to You

Over 300,000 WordPress sites use this plugin, so lots of people like you could be at risk. Here’s a quick look at what could go wrong:

If you have Contact Form 7 and use redirections, log in to your WordPress dashboard right away and check. And remember, always back up your site regularly – free tools like UpdraftPlus make it super easy!