The vulnerability is a deserialization of untrusted data that permits object injection. An attacker can supply crafted serialized payloads that the PDF for Contact Form 7 plugin processes, potentially allowing remote code execution or arbitrary data manipulation. The weakness corresponds to CWE-502, indicating that the application fails to validate or sanitize deserialized input properly. The impact is high, as a successful exploitation could compromise the entire WordPress installation, yield full control, and enable further lateral movement.

The affected product is the add‑ons.org PDF for Contact Form 7 plugin, specifically all releases from the first available version up to and including 6.5.0. Users employing any of these versions are vulnerable unless the plugin has been upgraded beyond 6.5.0. No other vendors or products are mentioned.

The CVSS score of 8.8 classifies this as a high‑severity flaw, yet the EPSS score of less than 1% indicates that the likelihood of an actual exploit in the wild is very low at this time. The CVE is not listed in the CISA KEV catalog. The likely attack vector is remote, via the web, where an attacker submits a malicious payload through the plugin’s form handling or its endpoints. Successful exploitation would require the plugin to be active and the WordPress site exposed to the internet. No public exploits are known, but the high severity suggests that defenders should treat it as a high‑risk threat.