Critical WordPress Plugin Flaw (CVE-2025-7384, CVSS 9.8) Exposes 70,000+ Sites to RCE and Data Loss

A critical security vulnerability has been disclosed in the widely used Database for Contact Form 7, WPforms, Elementor Forms plugin for WordPress. Tracked as CVE-2025-7384 and carrying a CVSS score of 9.8, this flaw affects all versions up to and including 1.4.3 and could enable unauthenticated attackers to execute dangerous exploits, potentially leading to a denial of service or even remote code execution.

The plugin, which boasts over 70,000 active installations, automatically stores form submissions from popular WordPress contact form plugins — including Contact Form 7, WPforms, Elementor Forms, and CRM Perks Forms — directly into the site’s database. This feature makes it a vital tool for many website administrators, but also a high-value target for cybercriminals.

At the core of CVE-2025-7384 is a PHP Object Injection issue triggered by the deserialization of untrusted input within the get_lead_detail function. This vulnerability allows an attacker to inject arbitrary PHP objects into the application without authentication.

The risk escalates significantly when the plugin is used alongside Contact Form 7. The report shows that “the additional presence of a POP (Property-Oriented Programming) chain in the Contact Form 7 plugin… allows attackers to delete arbitrary files, including the wp-config.php file.” Once wp-config.php is removed, a WordPress site may experience complete denial of service or could be reinstalled under an attacker’s control, enabling remote code execution.

If exploited, this vulnerability could:

• Delete critical WordPress configuration files (e.g., wp-config.php)
• Cause site-wide outages and denial of service
• Potentially allow remote code execution
• Lead to complete site compromise if attackers regain control post-deletion

Because the flaw is exploitable without authentication, any publicly accessible site running a vulnerable version is at high risk.

The developers have released version 1.4.4 to patch this vulnerability.

Related Posts:

• Unpatched WordPress bug puts your website at risk
• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
• Facebook have been collecting call logs and SMS metadata for several years

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy