CVE-2025-7384
The Database for Contact Form 7, WPforms, Elementor forms plugin
Description
Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| wordpress | contact_form_entries | 1.4.3 |
| wordpress | wp_forms | * |
| wordpress | contact_form_entries | 1.4.4 |
| wordpress | contact_form_7 | * |
| wordpress | elementor_forms | * |
| wordpress | ninja_forms | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
How can this vulnerability impact me? :
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2025-08-13
CVE Last Modified Date:
2025-08-13
Report Generation Date:
2025-11-04
AI Powered Q&A Generation:
2025-08-13
EPSS Last Evaluated Date:
2025-09-10
NVD Report Link: