The vulnerability, assigned CVE-2025-7384 with a CVSS score of 9.8, enables unauthenticated attackers to inject malicious PHP objects and potentially delete arbitrary files from affected websites.
The vulnerability stems from the deserialization of untrusted data in the plugin’s get_lead_detail function.
This flaw allows attackers to perform PHP Object Injection without authentication, exploiting the unsafe handling of serialized data.
The vulnerable code processes user input through deserialization operations without proper validation, creating an entry point for malicious payloads.
php// Vulnerable code pattern in get_lead_detail function
$data = unserialize($_POST['serialized_data']); // Unsafe deserialization
When combined with a Property-Oriented Programming (POP) chain present in the Contact Form 7 plugin, which is commonly installed alongside the vulnerable plugin, attackers can escalate the object injection to achieve arbitrary file deletion.
This exploitation chain can lead to denial of service (DoS) conditions or even remote code execution (RCE) when critical files like wp-config.php are deleted.
The vulnerability poses severe risks to WordPress installations, particularly those using Contact Form 7 in conjunction with the affected database plugin.
Successful exploitation can result in complete website compromise, as attackers can target essential configuration files and potentially gain administrative access.
Vulnerability Details Summary:
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-7384 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (AV:N) |
| Authentication Required | None (PR:N) |
| Affected Versions | ≤ 1.4.3 |
| Patched Version | 1.4.4 |
| Plugin Slug | contact-form-entries |
The vulnerability was publicly disclosed on August 12, 2025, and a patch was released shortly after.
Website administrators should immediately update to version 1.4.4 or newer to prevent exploitation. Security researcher Mikemyers identified and reported this critical flaw through responsible disclosure.
Given the unauthenticated nature of this vulnerability and its potential for remote code execution, organizations using affected versions should prioritize immediate patching and consider implementing additional security measures such as Web Application Firewalls (WAF) and regular security monitoring to detect potential exploitation attempts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Critical WordPress Plugin Flaw Puts 70,000+ Sites at Risk of RCE appeared first on Cyber Security News.
Spacelift has launched Spacelift Intelligence to help infrastructure teams escape drowning in provisioning requests. Developers…
Reco has released Reco AI Agent Security to fill the visibility gap for AI agents…
Workday has announced a major evolution of its business platform, with the first update to…
Unit4 has announced that Van Weelde Shipping Group is one of the latest customers to…
AI in all its forms (analytical, generative, agentic, et al) promises to redefine how work…
Microsoft has announced a fresh set of system features, including the long-requested ability to disable…
This website uses cookies.