PHP Object Injection Vulnerability in Integration for Pipedrive and Contact Form 7 Plugin by WordPress
CVE-2025-7696

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Integration For Pipedrive And Contact Form 7, WPforms, Elementor, Ninja Forms
Vendor: CVE Published:; 19 July 2025

What is CVE-2025-7696?

The Integration for Pipedrive and Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection due to the unsafe deserialization of untrusted input within the verify_field_val() function. This flaw affects all versions up to and including 1.2.3. Attackers can exploit this vulnerability to inject PHP Objects, potentially allowing for arbitrary file deletion through the presence of a PHP Object Pollution (POP) chain in the accompanying Contact Form 7 plugin. Such actions could lead to critical disruptions including Denial of Service (DoS) or remote code execution, particularly if the wp-config.php file is compromised.

Affected Version(s)

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms * <= 1.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/integration-fo...

https://wordpress.org/plugins/integration-for-contact-for...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 15, 2025

Credit

Nguyen Tan Phat