A severe security vulnerability has been identified and publicly disclosed in the “Database for Contact Form 7, WPforms, Elementor forms” WordPress plugin, affecting over 70,000 websites. This flaw, tracked as CVE-2025-7384, allows unauthenticated attackers to achieve remote code execution (RCE), one of the most dangerous types of web application attacks. The vulnerability stems from a PHP object injection flaw, where the plugin fails to properly validate and sanitize user input before deserializing it. By exploiting this weakness, attackers can inject malicious serialized objects into the application’s data stream, tricking the server into executing arbitrary code and potentially gaining full control of the compromised website. This flaw affects all versions of the plugin up to and including 1.4.3 and has been assigned a maximum CVSS score of 9.8, underscoring its critical severity.
The core of the issue lies in the plugin’s get_lead_detail function, which processes user-supplied input without implementing sufficient security checks. This oversight creates a window of opportunity for attackers to send specially crafted data that, when processed, leads to a deserialization of untrusted input. Deserialization is the process of converting a serialized string back into an object. When an application deserializes data without validation, it can unintentionally create objects with properties defined by an attacker. This is precisely what happens in this vulnerability, allowing attackers to introduce and execute harmful code, ultimately leading to a full system compromise.
What makes this vulnerability particularly potent is its ability to be chained with other components commonly found on WordPress sites. According to security researchers, the presence of a Property-Oriented Programming (POP) chain within the popular Contact Form 7 plugin—which is often installed alongside the vulnerable database plugin—allows attackers to escalate the initial object injection. A POP chain is a technique used to link existing pieces of code, or “gadgets,” within an application to achieve a specific malicious goal. In this case, attackers can leverage the POP chain to enable arbitrary file deletion, potentially targeting critical system files like wp-config.php. Deleting core configuration files can disrupt the website’s functionality and may even lead to further exploitation, including the ability to execute remote code.
The vulnerability’s high-risk profile is further highlighted by its ease of exploitation. The attack requires no authentication, meaning any malicious actor on the internet can attempt to exploit this flaw without needing any credentials or prior access to the website. This accessibility, combined with the low attack complexity, makes it a prime target for automated attacks.
Due to the critical nature of this vulnerability and its widespread impact, all users of the “Database for Contact Form 7, WPforms, Elementor forms” plugin are urged to take immediate action. The most effective way to mitigate this risk is to update the plugin to a patched version as soon as one becomes available. If an update is not yet released, disabling or uninstalling the plugin is a recommended temporary measure to protect your website from potential attacks. Website administrators should also monitor their sites for any signs of compromise and ensure that their systems are regularly backed up to facilitate recovery in the event of an attack.
Reference:
