A severe security flaw has been identified in the widely used “Database for Contact Form 7, WPforms, Elementor forms” WordPress plugin, putting more than 70,000 websites at risk of remote code execution (RCE) attacks.
The issue, registered as CVE-2025-7384 with a CVSS score of 9.8 (Critical), impacts all plugin versions up to and including 1.4.3. It was publicly disclosed on August 12, 2025.
Nature of the Vulnerability
The flaw is caused by PHP Object Injection due to unsafe deserialization of untrusted input within the plugin’s get_lead_detail function. This allows unauthenticated attackers to inject malicious PHP objects without any login credentials or user interaction.
Security researcher mikemyers discovered that the vulnerability stems from improper handling of user-supplied input, which is deserialized without any sanitization or validation checks.
Why This Exploit is Highly Dangerous
The risk is amplified by the presence of a Property-Oriented Programming (POP) chain in the Contact Form 7 plugin, which is often installed alongside the vulnerable database plugin. Attackers can leverage this chain to escalate from object injection to arbitrary file deletion, potentially removing critical files such as wp-config.php.
If configuration files are deleted, it could result in complete site compromise or enable remote code execution.
CVSS Vector:
This means the attack can be launched over the network, requires low complexity, no privileges, and has high impact on confidentiality, integrity, and availability.
| Risk Factor | Details |
|---|---|
| Affected Products | Database for Contact Form 7, WPforms, Elementor forms plugin ≤ 1.4.3 |
| Impact | Remote Code Execution |
| Exploit Prerequisites | None (Unauthenticated attack) |
| CVSS Score | 9.8 (Critical) |
Mitigation and Recommendations
Administrators should immediately update the plugin to version 1.4.4 or later, which fixes the flaw by adding input validation and sanitization in the get_lead_detail function.
Additional steps:
- Deploy a Web Application Firewall (WAF) for extra protection.
- Perform regular security monitoring and log analysis.
- Conduct security audits on WordPress installations, especially form-handling plugins.
- Review guidance from trusted sources here: <–link import –>
The swift detection and patching of this vulnerability demonstrate the importance of keeping WordPress environments up to date and the critical role of security researchers in preventing large-scale cyberattacks.
