Description
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Published: 2025-07-19
Score: 9.8 Critical
EPSS: 2.2% Low
KEV: No
Impact: PHP Object Injection enabling unauthenticated attackers to delete arbitrary files or execute code
Action: Patch Immediately
AI Analysis

Impact

The Integration for Google Sheets and Contact Form 7 plugin is subject to PHP Object Injection via the verify_field_val() function when deserializing untrusted input. Attackers can inject a PHP object, which, together with a deserialization chain existing in Contact Form 7, can delete arbitrary files such as wp-config.php. This results in remote code execution or a denial of service. The flaw is identified as CWE‑502 and carries a CVSS score of 9.8.

Affected Systems

Affected systems are WordPress sites running the Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin version 1.1.1 or earlier. The vulnerability exists in the plugin’s code that handles form submissions and in the dependent Contact Form 7 plugin which is commonly paired with it.

Risk and Exploitability

With an EPSS score of 2 percent and the vulnerability not yet listed in CISA’s KEV catalog, it remains a high‑risk flaw but exploitation is unlikely to be widespread. The attack vector is unauthenticated and relies on the public form submission endpoint. An attacker requires no credentials but must send a crafted form submission containing a malicious serialized payload. Once executed, the payload may delete wp-config.php, leading to remote code execution or site downtime.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Integration for Google Sheets and Contact Form 7 plugin to the latest available version (>=1.1.2).
  • If an upgrade is not immediately feasible, deactivate or uninstall the plugin to prevent potential exploitation.
  • Ensure that file permissions on wp-config.php and other critical files are set to prevent deletion, and validate that no POP chains remain in the Contact Form 7 configuration.

Generated by OpenCVE AI on April 21, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21948 The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
History

Mon, 21 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Title Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:08.545Z

Reserved: 2025-07-15T22:41:37.604Z

Link: CVE-2025-7697

cve-icon Vulnrichment

Updated: 2025-07-21T17:42:42.656Z

cve-icon NVD

Status : Deferred

Published: 2025-07-19T05:15:22.377

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses