CVE-2025-7384
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | contact_form_entries | 1.4.4 |
| wordpress | contact_form_entries | 1.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection in the Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress, affecting all versions up to and including 1.4.3. It occurs via deserialization of untrusted input in the get_lead_detail function, allowing unauthenticated attackers to inject a PHP Object. When combined with a POP chain in the Contact Form 7 plugin, attackers can delete arbitrary files, potentially causing denial of service or remote code execution by deleting critical files like wp-config.php.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including denial of service and remote code execution. Attackers can delete arbitrary files on the server, such as the wp-config.php file, which can disrupt the website's operation or allow attackers to execute malicious code remotely, compromising the security and availability of the affected WordPress site.