CVE-2025-7384
Published: 13 August 2025
Summary
CVE-2025-7384 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 1.4.3. The flaw stems from unsafe deserialization of untrusted input inside the get_lead_detail function, which permits an attacker to supply a serialized PHP object. A POP chain present in the commonly co-installed Contact Form 7 plugin can then be leveraged to delete arbitrary files on the server.
Unauthenticated attackers can exploit the issue over the network without any user interaction. Successful exploitation allows deletion of files such as wp-config.php, resulting in denial of service or potential remote code execution depending on the remaining application state. The vulnerability carries a CVSS 3.1 score of 9.8.
The supplied references point to the vulnerable code path in the plugin repository and a Wordfence advisory entry, but contain no explicit mitigation guidance or patch details beyond the changeset that addresses the deserialization call.
EPSS remains flat at 0.0302 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24539
Vulnerability details
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for…
more
unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing WP plugin (T1190) via deserialization leading to arbitrary file deletion and RCE (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PHP object injection vulnerability by patching the deserialization of untrusted input in the get_lead_detail function of the Database for Contact Form 7 plugin.
Validates untrusted input supplied to the get_lead_detail function before deserialization, preventing PHP object injection exploits.
Restricts the types and formats of input accepted by the get_lead_detail function, blocking malicious payloads that enable object injection and subsequent file deletion via POP chain.