Cyber Resilience

CVE-2025-7384

CriticalRCE

Published: 13 August 2025

Published
13 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0302 86.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7384 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 1.4.3. The flaw stems from unsafe deserialization of untrusted input inside the get_lead_detail function, which permits an attacker to supply a serialized PHP object. A POP chain present in the commonly co-installed Contact Form 7 plugin can then be leveraged to delete arbitrary files on the server.

Unauthenticated attackers can exploit the issue over the network without any user interaction. Successful exploitation allows deletion of files such as wp-config.php, resulting in denial of service or potential remote code execution depending on the remaining application state. The vulnerability carries a CVSS 3.1 score of 9.8.

The supplied references point to the vulnerable code path in the plugin repository and a Wordfence advisory entry, but contain no explicit mitigation guidance or patch details beyond the changeset that addresses the deserialization call.

EPSS remains flat at 0.0302 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for…

more

unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing WP plugin (T1190) via deserialization leading to arbitrary file deletion and RCE (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3017Shared CWE-502
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the PHP object injection vulnerability by patching the deserialization of untrusted input in the get_lead_detail function of the Database for Contact Form 7 plugin.

prevent

Validates untrusted input supplied to the get_lead_detail function before deserialization, preventing PHP object injection exploits.

prevent

Restricts the types and formats of input accepted by the get_lead_detail function, blocking malicious payloads that enable object injection and subsequent file deletion via POP chain.

References