PHP Object Injection Vulnerability in Contact Form 7 and Other WordPress Plugins

CVE-2025-7384

What is CVE-2025-7384?

CVE-2025-7384 is a significant vulnerability found in the Contact Form 7 plugin and other related WordPress plugins, specifically affecting versions up to and including 1.4.3. This flaw is categorized as a PHP Object Injection vulnerability, which arises from the deserialization of untrusted input within the get_lead_detail function. The implications of this vulnerability are concerning, as it allows unauthenticated attackers to inject malicious PHP objects into the application. Such an action can lead to severe consequences, including potential denial of service (DoS) attacks and remote code execution capabilities when critical files, like wp-config.php, are deleted through the exploitation of an additional PHP Object Pattern (POP) chain present in the Contact Form 7 plugin. Organizations utilizing these plugins face substantial risks, as successful exploitation could compromise system integrity and expose sensitive data.

Potential impact of CVE-2025-7384

1. Remote Code Execution: The exploitation of this vulnerability may allow attackers to execute arbitrary code on the server. This can enable them to manipulate server functions or escalate their control, potentially leading to widespread system compromise.

2. Denial of Service: Through the exploitation of this vulnerability, attackers can delete essential files such as wp-config.php, which may render the WordPress site completely inoperable, resulting in downtime and significant disruption to services.

3. Data Breach Risk: Successful exploitation can provide unauthorized access to sensitive information stored within the WordPress site. This can lead to data breaches that affect both the organization and its user base, resulting in reputational damage and regulatory implications.

References