Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Published: 2025-08-13
Score: 9.8 Critical
EPSS: 2.0% Low
KEV: No
Impact: Arbitrary file deletion enabling denial of service or remote code execution
Action: Immediate Patch
AI Analysis

Impact

The extension for Contact Form 7, WPforms, and Elementor forms processes user supplied data in its get_lead_detail routine without sanitizing it. An attacker who is not logged in can craft a serialized payload that, when deserialized, injects a PHP Object into the application. This injection can activate a POP chain inside the vulnerable code, which in turn allows the attacker to delete any file on the server. Removing critical files such as wp-config.php can cripple the WordPress site or, in certain configurations, enable execution of arbitrary code. The weakness is categorized as CWE‑502, Untrusted Deserialization.

Affected Systems

WordPress installations using the crmperks Database for Contact Form 7, WPforms, Elementor forms plugin with any version up to and including 1.4.3 are affected. This includes the three form plugins that rely on the same database module: Contact Form 7, WPforms, and Elementor forms.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of 2% points to a moderate likelihood of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, yet the combination of unauthenticated access and the capability to delete arbitrary files makes it a high‑risk flaw. Based on the description, it is inferred that the attacker can reach the vulnerable get_lead_detail endpoint via normal web traffic without authentication, craft a malicious serialized payload, trigger the PHP Object Injection, and then remove critical files, potentially causing denial of service or remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version later than 1.4.3 where the deserialization issue is fixed.
  • If an upgrade cannot be performed immediately, block unauthenticated access to the get_lead_detail endpoint by configuring the web server or firewall to allow the function only for authenticated users.
  • As a short‑term fallback, disable or remove the plugin until a fix is applied.

Generated by OpenCVE AI on April 22, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24539 The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress

Wed, 13 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Title Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Crmperks Database For Contact Form 7, Wpforms, Elementor Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:27.291Z

Reserved: 2025-07-09T09:44:00.490Z

Link: CVE-2025-7384

cve-icon Vulnrichment

Updated: 2025-08-13T13:50:46.140Z

cve-icon NVD

Status : Deferred

Published: 2025-08-13T05:15:26.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses