SecuriTricks - CVE-2025-7384

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

Product(s) Impacted

Vendor	Product	Versions
Wordpress	Contact Form 7 Wpforms Elementor	* * *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wordpress	contact_form_7	/	/	/	/	/	wordpress	/	/
a	wordpress	wpforms	/	/	/	/	/	wordpress	/	/
a	wordpress	elementor	/	/	/	/	/	wordpress	/	/

References

https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.1/includes/data.php#L525

https://plugins.trac.wordpress.org/changeset/3338764/#file9

https://www.wordfence.com/threat-intel/vulnerabilities/id/129f810d-ff83-4428-9f98-6a6aa8817783?source=cve

CVSS Score

9.8 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Aug. 13, 2025, 5:15 a.m.
Last Modified: Aug. 13, 2025, 5:33 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2025-7384