What is CVE-2025-14800?

CVE-2025-14800 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14800?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14800.

How can I protect against CVE-2025-14800?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14800.

REPORT / 01

Analysis Report · Folder Analysis cache/wpcf7-redirect_3.2.7 → cache/wpcf7-redirect_3.2.8 — CVE-2025-14800

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14800 NVD

AI-Generated Analysis

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

classes/class-wpcf7r-save-files.php AI: 1 vulnerabilities 1 true positive CVE-2025-14800

--- cache/wpcf7-redirect_3.2.7/classes/class-wpcf7r-save-files.php	2025-12-21 09:36:55.616558103 +0000+++ cache/wpcf7-redirect_3.2.8/classes/class-wpcf7r-save-files.php	2025-12-21 09:37:05.689184005 +0000@@ -178,6 +178,12 @@ 	 * @return string|false The destination path if successful, false otherwise. 	 */ 	public function move_file_to_upload( $file_path ) {++		$validate = wp_check_filetype( $file_path );+		if ( ! $validate['type'] || preg_match( '#^[a-zA-Z0-9+.-]+://#', $file_path ) ) {+			die( esc_html__( 'File type is not allowed', 'wpcf7-redirect' ) );+		}+ 		global $wp_filesystem; 		$this->filesystem_init(); @@ -263,6 +269,7 @@ 		$dir = $this->get_uploads_dir();  		if ( is_dir( $dir ) && is_writable( $dir ) ) {+			$this->init_index_file( $dir ); 			$htaccess_file = path_join( $dir, '.htaccess' );  			if ( file_exists( $htaccess_file ) ) {@@ -293,4 +300,34 @@ 			} 		} 	}++	/**+	 * Initializes the index.php file.+	 *+	 * @param string $dir Upload dir path.+	 * @return void+	 */+	private function init_index_file( $dir ) {+		$index_file    = path_join( $dir, 'index.php' );++		if ( file_exists( $index_file ) ) {+			list( , $second_line_comment ) = (array) file(+				$index_file,+				FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES+			);++			if ( '// Silence is golden.' === $second_line_comment ) {+				return;+			}+		}++		$handle = @fopen( $index_file, 'w' );++		if ( $handle ) {+			fwrite( $handle, "<?php\n" );+			fwrite( $handle, '// Silence is golden.' );++			fclose( $handle );+		}+	} }

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation (Path Traversal) - CWE-22 - classes/class-wpcf7r-save-files.php Lines 181-185

Old Code:
```php
public function move_file_to_upload( $file_path ) {
	global $wp_filesystem;
	$this->filesystem_init();
```

Fixed Code:
```php
public function move_file_to_upload( $file_path ) {

	$validate = wp_check_filetype( $file_path );
	if ( ! $validate['type'] || preg_match( '#^[a-zA-Z0-9+.-]+://#', $file_path ) ) {
		die( esc_html__( 'File type is not allowed', 'wpcf7-redirect' ) );
	}

	global $wp_filesystem;
	$this->filesystem_init();
```

Explanation:
The vulnerability existed because the `move_file_to_upload()` function accepted a `$file_path` parameter without validating it before use. This could allow attackers to:
1. Upload files with disallowed types, potentially executing malicious code
2. Use protocol wrappers (detected by the `#^[a-zA-Z0-9+.-]+://#` regex) to access remote files or special streams

The fix adds validation using `wp_check_filetype()` to ensure the file type is allowed and rejects paths containing protocol schemes (like `php://`, `file://`, `http://`), preventing both arbitrary file type uploads and protocol-based attacks.

---

Vulnerability Existed: not sure
Information Disclosure / Directory Listing - CWE-548 - classes/class-wpcf7r-save-files.php Lines 303-333

Old Code:
```php
}
```

Fixed Code:
```php
}

/**
 * Initializes the index.php file.
 *
 * @param string $dir Upload dir path.
 * @return void
 */
private function init_index_file( $dir ) {
	$index_file    = path_join( $dir, 'index.php' );

	if ( file_exists( $index_file ) ) {
		list( , $second_line_comment ) = (array) file(
			$index_file,
			FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES
		);

		if ( '// Silence is golden.' === $second_line_comment ) {
			return;
		}
	}

	$handle = @fopen( $index_file, 'w' );

	if ( $handle ) {
		fwrite( $handle, "<?php\n" );
		fwrite( $handle, '// Silence is golden.' );

		fclose( $handle );
	}
}
```

Explanation:
This new method creates an `index.php` file in upload directories, a common WordPress security practice to prevent directory listing attacks (CWE-548). The "Silence is golden" comment is a WordPress convention indicating an empty index file meant to block directory traversal. This is a **defensive measure** rather than a fix for an existing vulnerability, as it prevents future directory listing attacks. Uncertainty exists because we cannot confirm if directory listing was previously a problem, but the addition is a legitimate security hardening practice.

CVE Analysis Results:

CVE-2025-14800: Yes

View CVE Description

The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server.

Showing 1 to 1 of 1 results