PHP Object Injection Vulnerability in Integration for Google Sheets and Contact Form 7 Plugin by WordPress
CVE-2025-7697

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Integration For Google Sheets And Contact Form 7, WPforms, Elementor, Ninja Forms
Vendor
CVE Published:
19 July 2025

What is CVE-2025-7697?

The Integration for Google Sheets and Contact Form 7 plugin for WordPress is susceptible to PHP Object Injection due to insecure deserialization of unchecked user input within the verify_field_val() function. All versions up to and including 1.1.1 are affected, allowing unauthenticated attackers to exploit this vulnerability. The associated risk is exacerbated by a possible chain of vulnerabilities in the Contact Form 7 plugin, which could enable attackers to delete critical files, such as the wp-config.php file, potentially resulting in denial of service or even remote code execution.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms * <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/integration-for-contact-for...
https://plugins.trac.wordpress.org/browser/integration-fo...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Tan Phat
JSON
.