A significant security vulnerability has been uncovered in the widely used WordPress plugin “Database for Contact Form 7, WPforms, Elementor forms,” with ramifications affecting all iterations up to version 1.4.3.
This critical flaw, cataloged under CVE-2025-7384 and boasting an alarming CVSS score of 9.8, permits unauthorized attackers to inject perilous PHP objects, thereby enabling the deletion of arbitrary files from compromised websites.
In-Depth Technical Examination of PHP Object Injection Vulnerability
The roots of this vulnerability lie in the deserialization of unreliable data within the plugin’s get_lead_detail function.
This discrepancy allows adversaries to execute PHP Object Injection without requiring validation, exploiting the plugin’s negligence in handling serialized information securely.
The compromised code processes user input via deserialization operations sans sufficient validation, thereby establishing a gateway for malicious payloads.
php// Vulnerable code pattern in get_lead_detail function
$data = unserialize($_POST['serialized_data']); // Unsafe deserializationWhen this vulnerability is juxtaposed with a Property-Oriented Programming (POP) chain found in the commonly installed Contact Form 7 plugin, attackers can escalate the object injection to facilitate arbitrary file deletion.
This exploitation sequence could lead to denial of service (DoS) scenarios or even remote code execution (RCE), particularly when pivotal files like wp-config.php are eliminated.
The implications of this vulnerability are dire for WordPress installations, particularly those employing Contact Form 7 in tandem with the compromised database plugin.
Should an attack be successful, it may culminate in total website takeover, as adversaries can target essential configuration files and potentially attain administrative access.
Summary of Vulnerability Details:
| Attribute | Details |
| CVE ID | CVE-2025-7384 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (AV:N) |
| Authentication Required | None (PR:N) |
| Affected Versions | ≤ 1.4.3 |
| Patched Version | 1.4.4 |
| Plugin Slug | contact-form-entries |
This vulnerability was publicly disclosed on August 12, 2025, with a corresponding patch released shortly thereafter.
Web administrators are urged to promptly update to version 1.4.4 or later to avert potential exploitation. Security researcher Mikemyers identified and responsibly reported this critical flaw.
Considering the unauthenticated nature of this vulnerability and its potential to facilitate remote code execution, organizations utilizing affected versions ought to prioritize immediate patching. Additionally, implementing supplemental security measures such as Web Application Firewalls (WAF) and routine security monitoring is imperative to detect potential exploitation attempts.
Source link: Cyberpress.org.
