Description
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Published: 2025-07-19
Score: 9.8 Critical
EPSS: 3.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Integration for Google Sheets and Contact Form 7 plugin is vulnerable to PHP Object Injection via the verify_field_val() function when deserializing untrusted input. Attackers can inject a PHP object, which, together with a deserialization chain in the Contact Form 7 plugin, can delete arbitrary files such as wp-config.php. This results in remote code execution or a denial of service. The flaw is identified as CWE‑502 and carries a CVSS score of 9.8.

Affected Systems

Affected systems are WordPress sites running the Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin version 1.1.1 or earlier. The vulnerability exists in the plugin’s code that handles form submissions and depends on the commonly paired Contact Form 7 plugin.

Risk and Exploitability

With an EPSS score of 3 percent and the vulnerability not listed in CISA’s KEV catalog, it remains a high‑risk flaw but exploitation is unlikely to be widespread. The attack vector is unauthenticated and relies on the public form submission endpoint. An attacker requires no credentials but must send a crafted form submission containing a malicious serialized payload. Once executed, the payload may delete wp-config.php, leading to remote code execution or site downtime.

Generated by OpenCVE AI on May 15, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Integration for Google Sheets and Contact Form 7 plugin to the latest available version (>= 1.1.2).
  • If an upgrade is not immediately feasible, deactivate or uninstall the plugin to eliminate the vulnerable functionality.
  • As a temporary safeguard, modify the verify_field_val() function to perform strict input validation and reject any serialized data that does not conform to expected types, following best practices for preventing PHP Object Injection (CWE‑502) and enforce proper file permissions on critical files such as wp-config.php.

Generated by OpenCVE AI on May 15, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21948 The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
History

Mon, 21 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Title Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:08.545Z

Reserved: 2025-07-15T22:41:37.604Z

Link: CVE-2025-7697

cve-icon Vulnrichment

Updated: 2025-07-21T17:42:42.656Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T05:15:22.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T15:15:46Z

Weaknesses