| |

Severe WordPress Plugin Vulnerability Puts Over 70,000 Websites at Risk of Remote Code Execution (RCE) Attacks

ByAdmin

A critical security vulnerability has been identified in the widely used “Database for Contact Form 7, WPforms, Elementor forms” WordPress plugin, potentially putting over 70,000 websites at risk of remote code execution attacks. This vulnerability, tracked as CVE-2025-7384 and rated with a maximum CVSS score of 9.8, affects all versions up to and including 1.4.3 and was publicly disclosed on August 12, 2025. The flaw arises from PHP Object Injection through the deserialization of untrusted input in the plugin’s get_lead_detail function, enabling unauthenticated attackers to inject malicious PHP objects without needing user credentials or interaction. This vulnerability represents one of the most severe types of web application weaknesses, allowing attackers to execute arbitrary code on compromised servers.

The vulnerability exploits the deserialization of untrusted data, a common attack vector where malicious serialized objects are processed by the application without adequate validation. Security researcher Mikemyers pinpointed the specific weakness in the plugin’s data handling mechanism, where user-supplied input is deserialized without proper sanitisation checks. The presence of a Property-Oriented Programming (POP) chain in the Contact Form 7 plugin, often installed alongside the vulnerable database plugin, exacerbates the risk. This POP chain permits attackers to escalate their initial object injection into arbitrary file deletion capabilities, potentially targeting critical system files such as wp-config.php. The attack vector requires no authentication, making it highly accessible to malicious actors. Website administrators are urged to update to version 1.4.4 or newer, which includes essential security patches to mitigate this critical vulnerability. 

Categories: WordPress Security, Vulnerability Exploitation, Remote Code Execution 

Tags: Vulnerability, WordPress, Plugin, Remote Code Execution, PHP Object Injection, Deserialization, Security, CVSS, Exploitation, Update 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *