A critical security vulnerability has been disclosed in the widely used Database for Contact Form 7, WPforms, Elementor Forms plugin for WordPress. Tracked as CVE-2025-7384 with a CVSS score of 9.8, this flaw affects all versions up to and including 1.4.3 and could enable unauthenticated attackers to execute dangerous exploits, potentially leading to site wide denial of service or remote code execution.
The plugin automatically stores form submissions from popular WordPress contact form plugins including Contact Form 7, WPforms, Elementor Forms, and CRM Perks Forms directly into the site’s database. It is installed on over 70,000 sites. Its widespread adoption and direct access to critical site data make it a high value target for attackers.
Summary
Vulnerability: PHP Object Injection in Database for Contact Form 7, WPforms, Elementor Forms plugin for WordPress resulting in denial of service and potential remote code execution.
CVE: CVE-2025-7384
Impact: Allows unauthenticated attackers to inject arbitrary PHP objects, delete critical configuration files including wp-config.php, cause site wide outages, and potentially execute remote code.
Affected Versions: All versions up to 1.4.3
Severity: Critical, CVSS 9.8
Fix: Update to version 1.4.4 immediately.
How the attack works
At the core of CVE-2025-7384 is a PHP Object Injection vulnerability in the get_lead_detail function. The plugin deserializes untrusted input from stored form submissions. An attacker can submit specially crafted payloads to inject arbitrary PHP objects into the application without authentication.
When the plugin is used alongside Contact Form 7, the risk increases. A Property Oriented Programming chain in Contact Form 7 allows attackers to delete arbitrary files including the critical wp-config.php. Removal of this file can result in complete site denial of service or enable attackers to reinstall WordPress under their control, achieving full remote code execution.
The exploit is simple to automate and requires no prior access or privileges. Any publicly accessible WordPress site running a vulnerable version is at immediate risk.
Exploitation in the wild
Reports from multiple security teams indicate that CVE-2025-7384 is actively targeted. Attackers are scanning the internet for vulnerable sites and attempting to exploit the deserialization flaw to compromise WordPress installations.
What makes this so dangerous
CVE-2025-7384 combines several high risk factors:
- First, unauthenticated exploitation requires no login or privileges
- Second, the destructive payload allows attackers to delete critical WordPress configuration files
- Third, widespread exposure affects over 70,000 active installations with public facing forms
- Fourth, persistent risk exists because old malicious data in the database may remain exploitable even after applying the patch
A single vulnerable plugin installation can lead to complete site compromise, making this a top priority threat for WordPress administrators.
Patch and its limitations
The developers have released version 1.4.4 to address this vulnerability. The patch focuses on mitigating unsafe deserialization by conditionally unserializing old data.
Here is an excerpt of the patch showing the new maybe_unserialize function:
--- old/contact-form-entries.php 2025-07-25 06:57:10
+++ new/contact-form-entries.php 2025-08-04 07:02:18
@@ -1391,6 +1391,13 @@
}
}
return $uploaded_files;
+}
+public static function maybe_unserialize($value,$lead=array()){
+ $old_lead=!empty($lead['created']) && strtotime($lead['created']) < 1754290480 ? true : false;
+ if($old_lead && !empty($value)){
+ $value=maybe_unserialize($value);
+ }
+return $value;
}
public function get_forms_jetpack(){
return get_posts( array(
This function ensures that only older records are conditionally unserialized, preventing new malicious inputs from executing automatically.
A critical limitation remains: any malicious data already inserted into the database before the patch may still be exploitable. Attackers could trigger deserialization of old records, effectively bypassing the protection for new data. Organizations must audit and sanitize their databases to mitigate residual risk.
Mitigation steps and best practices
- Apply version 1.4.4 of the plugin immediately.
This update addresses the deserialization issue for new inputs.
- Inspect the database for malicious entries.
Sites running vulnerable versions before the patch may have old malicious records.
- Review and sanitize stored form submissions to prevent exploitation of legacy data.
Sites running vulnerable versions before the patch may have old malicious records.
- Ensure full site backups before applying patches.
Monitor logs for suspicious POST requests targeting form submission endpoints. Watch for unexpected file deletions, especially wp-config.php
- Harden WordPress security by restricting file permissions.
Disabling unnecessary plugins, and auditing user access to reduce attack surface.
Continuous detection
Security teams are actively monitoring for indicators of compromise related to CVE-2025-7384. This includes unusual POST requests to form submission endpoints, deletion of configuration files, and execution of PHP payloads via old database entries.
Detection efforts are focused on identifying successful exploitation rather than scanning for the vulnerability itself. Early detection is key to containing the threat and preventing complete site compromise.
Final thoughts
CVE-2025-7384 is one of the most severe WordPress plugin vulnerabilities in recent years. It requires no authentication, allows destructive file operations, and can result in full site compromise.
Administrators should update the plugin immediately, review their database for old malicious entries, and ensure robust monitoring of form submission endpoints. Treat every public facing form as a potential entry point and remain vigilant against opportunistic attackers.
