CVE-2025-49330
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49330 is a high-severity PHP Object Injection vulnerability in the WordPress plugin "Integration for Contact Form 7 and Zoho CRM, Bigin" versions up to 1.3.0. It allows unauthenticated attackers to inject malicious PHP objects, potentially leading to remote code execution, SQL injection, path traversal, denial of service, and other attacks if a suitable Property Oriented Programming (POP) chain is present. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution, which allows attackers to run arbitrary code on your server; SQL injection, which can compromise your database; path traversal, which can expose sensitive files; denial of service, which can disrupt service availability; and other attacks depending on exploitation context. Because it requires no authentication and has a high CVSS score of 9.8, it poses a significant risk to affected systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for exploit attempts targeting the vulnerable plugin version. Patchstack provides a virtual patch that intercepts such attacks, which implies network or web server logs could show blocked exploit attempts. Additionally, professional incident response and server-side malware scanning are recommended if compromise is suspected. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Integration for Contact Form 7 and Zoho CRM, Bigin plugin to version 1.3.1 or later, where the vulnerability is fixed. Until updating, applying the Patchstack virtual patch can provide rapid protection by automatically blocking exploit attempts targeting this vulnerability. It is also recommended to perform professional incident response and server-side malware scanning if compromise is suspected. [1]