CVE-2025-7384
Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion
criticalDeserialization of Untrusted Data
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.4.4
Patched in
1d
Time to patch
Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=1.4.3PublishedAugust 12, 2025
Last updatedAugust 13, 2025
Affected plugincontact-form-entries
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.