A severe security vulnerability has been discovered in a popular WordPress plugin used by over 70,000 websites worldwide, potentially exposing them to complete takeover by malicious actors.
The vulnerability, tracked as CVE-2025-7384, affects the “Database for Contact Form 7, WPforms, Elementor forms” plugin and carries a critical CVSS score of 9.8 out of 10.
Vulnerability Details
The vulnerability stems from improper handling of user input in the plugin’s get_lead_detail function, which fails to properly sanitize data before deserialization.
This critical flaw allows unauthenticated attackers to inject malicious PHP objects into the application without requiring any user credentials or special access.
| CVE ID | CVE-2025-7384 |
| CVSS Score | 9.8 (Critical) |
| Vulnerability Type | PHP Object Injection / Deserialization of Untrusted Data |
| Affected Versions | ≤ 1.4.3 |
| Patched Version | 1.4.4 |
What makes this vulnerability particularly dangerous is its combination with a Property-Oriented Programming (POP) chain present in the Contact Form 7 plugin, which is commonly used alongside the affected database plugin.
This combination enables attackers to escalate their initial access into arbitrary file deletion capabilities, potentially leading to complete website compromise.
The most severe attack scenario involves the deletion of the wp-config.php file, WordPress’s core configuration file.
When this critical file is removed, it can lead to either a complete denial of service or, in some configurations, provide attackers with the opportunity to achieve remote code execution on the target server.
The vulnerability requires no authentication, making it particularly accessible to threat actors. Affected websites face multiple risks, including data theft, website defacement, malware installation, and complete server compromise.
The plugin’s popularity among WordPress developers, particularly those working with popular form builders like Contact Form 7, WPforms, and Elementor, significantly amplifies the potential impact.
Website administrators using the affected plugin should immediately update to version 1.4.4 or later, which contains patches for this critical vulnerability.
Site owners can verify their current plugin version through their WordPress admin panel under the “Plugins” section.
Security experts recommend that administrators also implement additional monitoring for unusual file system changes and conduct thorough security audits of any sites running the vulnerable plugin versions.
Given the severity and ease of exploitation, this vulnerability should be treated as a high-priority security incident requiring immediate attention.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
