A important safety vulnerability has been found within the in style “Database for Contact Kind 7, WPforms, Elementor kinds” WordPress plugin, doubtlessly exposing over 70,000 web sites to distant code execution assaults.
The vulnerability, tracked as CVE-2025-7384 with a most CVSS rating of 9.8, impacts all variations as much as and together with 1.4.3 and was publicly disclosed on August 12, 2025.
The flaw stems from PHP Object Injection by way of deserialization of untrusted enter within the plugin’s get_lead_detail operate, permitting unauthenticated attackers to inject malicious PHP objects with out requiring any consumer credentials or interplay.
Key Takeaways1. Vital WordPress plugin vulnerability exposes 70,000+ websites to distant code execution.2. Attackers can exploit PHP Object Injection for system compromise.3. Replace instantly to forestall exploitation
This represents one of the crucial extreme varieties of internet utility vulnerabilities, because it permits attackers to execute arbitrary code on weak servers.
WordPress Plugin Deserialization Vulnerability
The vulnerability exploits deserialization of untrusted information, a typical assault vector the place malicious serialized objects are processed by the applying with out correct validation.
Safety researcher mikemyers recognized the precise weak point within the plugin’s information dealing with mechanism, the place user-supplied enter is immediately deserialized with out sanitization checks.
What makes this vulnerability significantly harmful is the presence of a Property-Oriented Programming (POP) chain within the Contact Kind 7 plugin, which is usually put in alongside the weak database plugin.
This POP chain permits attackers to escalate their preliminary object injection into arbitrary file deletion capabilities, doubtlessly concentrating on important system recordsdata like wp-config[.]php.
When core WordPress configuration recordsdata are deleted, it may well result in full system compromise or allow distant code execution eventualities.
The assault vector requires no authentication, making it extraordinarily accessible to malicious actors.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signifies network-based assaults with low complexity, no privileges required, and excessive impression on confidentiality, integrity, and availability.
Threat FactorsDetailsAffected ProductsDatabase for Contact Kind 7, WPforms, Elementor kinds plugin ≤ 1.4.3ImpactRemote Code ExecutionExploit PrerequisitesNone (Unauthenticated assault)CVSS 3.1 Score9.8 (Vital)
Mitigations
Web site directors utilizing the affected plugin ought to instantly replace to model 1.4.4 or newer, which accommodates the required safety patches.
The vulnerability was addressed by way of correct enter validation and sanitization mechanisms within the get_lead_detail operate, stopping malicious object injection.
Given the important nature of this vulnerability and its potential for widespread exploitation, safety specialists suggest implementing extra protecting measures together with Internet Utility Firewalls (WAF) and common safety monitoring.
Organizations also needs to conduct complete safety audits of their WordPress installations, significantly specializing in form-handling plugins that course of consumer enter.
The fast disclosure and patching of this vulnerability spotlight the significance of sustaining up to date WordPress environments and the important position of safety researchers in figuring out doubtlessly devastating flaws earlier than they are often exploited at scale.
Enhance your SOC and assist your staff shield your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.
