A critical security vulnerability has been discovered in the popular “Database for Contact Form 7, WPforms, Elementor forms” WordPress plugin, potentially exposing over 70,000 websites to remote code execution attacks.
The vulnerability, tracked as CVE-2025-7384 with a maximum CVSS score of 9.8, affects all versions up to and including 1.4.3 and was publicly disclosed on August 12, 2025.
The flaw stems from PHP Object Injection through deserialization of untrusted input in the plugin’s get_lead_detail function, allowing unauthenticated attackers to inject malicious PHP objects without requiring any user credentials or interaction.
Key Takeaways
1. Critical WordPress plugin vulnerability exposes 70,000+ sites to remote code execution.
2. Attackers can exploit PHP Object Injection for system compromise.
3. Update immediately to prevent exploitation
This represents one of the most severe types of web application vulnerabilities, as it enables attackers to execute arbitrary code on vulnerable servers.
WordPress Plugin Deserialization Vulnerability
The vulnerability exploits deserialization of untrusted data, a common attack vector where malicious serialized objects are processed by the application without proper validation.
Security researcher mikemyers identified the specific weakness in the plugin’s data handling mechanism, where user-supplied input is directly deserialized without sanitization checks.
What makes this vulnerability particularly dangerous is the presence of a Property-Oriented Programming (POP) chain in the Contact Form 7 plugin, which is commonly installed alongside the vulnerable database plugin.
This POP chain allows attackers to escalate their initial object injection into arbitrary file deletion capabilities, potentially targeting critical system files like wp-config[.]php.
When core WordPress configuration files are deleted, it can lead to complete system compromise or enable remote code execution scenarios.
The attack vector requires no authentication, making it extremely accessible to malicious actors.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network-based attacks with low complexity, no privileges required, and high impact on confidentiality, integrity, and availability.
| Risk Factors | Details |
| Affected Products | Database for Contact Form 7, WPforms, Elementor forms plugin ≤ 1.4.3 |
| Impact | Remote Code Execution |
| Exploit Prerequisites | None (Unauthenticated attack) |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigations
Website administrators using the affected plugin should immediately update to version 1.4.4 or newer, which contains the necessary security patches.
The vulnerability was addressed through proper input validation and sanitization mechanisms in the get_lead_detail function, preventing malicious object injection.
Given the critical nature of this vulnerability and its potential for widespread exploitation, security experts recommend implementing additional protective measures including Web Application Firewalls (WAF) and regular security monitoring.
Organizations should also conduct comprehensive security audits of their WordPress installations, particularly focusing on form-handling plugins that process user input.
The rapid disclosure and patching of this vulnerability highlight the importance of maintaining updated WordPress environments and the critical role of security researchers in identifying potentially devastating flaws before they can be exploited at scale.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
