PHP Object Injection Vulnerability in Integration for Google Sheets and Contact Form 7 Plugin by WordPress
CVE-2025-7697

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Integration For Google Sheets And Contact Form 7, WPforms, Elementor, Ninja Forms
Vendor: CVE Published:; 19 July 2025

What is CVE-2025-7697?

The Integration for Google Sheets and Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection due to insecure deserialization of unchecked user input within the verify_field_val() function. All versions up to and including 1.1.1 are affected, allowing unauthenticated attackers to exploit this vulnerability. The associated risk is exacerbated by a possible chain of vulnerabilities in the Contact Form 7 plugin, which could enable attackers to delete critical files, such as the wp-config.php file, potentially resulting in denial of service or even remote code execution.

Affected Version(s)

Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms * <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/integration-for-contact-for...

https://plugins.trac.wordpress.org/browser/integration-fo...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2025
Vulnerability Reserved
Jul 15, 2025

Credit

Nguyen Tan Phat