Description
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Published: 2025-07-19
Score: 9.8 Critical
EPSS: 2.2% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Integration for Pipedrive and Contact Form 7 plugin contains an unchecked PHP Object Injection flaw within the verify_field_val() function. Unsanitized data is deserialized, enabling an attacker to inject arbitrary PHP objects. When coupled with a known post‑order‑pipe (POP) chain in the Contact Form 7 plugin, the attacker can delete arbitrary files, including wordpress configuration files, which can then trigger denial of service or execute arbitrary code on the host. The flaw is classified as CWE‑502, insecure deserialization.

Affected Systems

The vulnerability affects the Integration for Pipedrive and Contact Form 7, WPForms, Elementor, and Ninja Forms plugin for WordPress, versions up to and including 1.2.3. Vendors include crmperks. No other product versions are reported as impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical threat, while the EPSS score of 2% signifies a moderate likelihood of exploitation. Because the flaw is unauthenticated and reachable via normal form submissions, an attacker only needs HTTP access to the vulnerable site and does not require specific privileges. The vulnerability is not yet listed in the CISA KEV catalog, but its severity and active exploitation channels imply that it could be leveraged in a broader campaign.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Integration for Pipedrive and Contact Form 7 plugin to the latest version that removes the insecure deserialization in verify_field_val().
  • Update or disable the Contact Form 7 plugin to eliminate the POP chain that facilitates file deletion.
  • Apply restrictive file permissions to wp-config.php and prevent it from being writable or directly accessible via the web.
  • If an immediate update is not possible, consider deactivating or removing the Integration plugin until a secure version is released.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21949 The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
History

Mon, 21 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Title Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:40.250Z

Reserved: 2025-07-15T22:02:28.714Z

Link: CVE-2025-7696

cve-icon Vulnrichment

Updated: 2025-07-21T16:54:07.848Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T05:15:22.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses