Cyber Resilience

CVE-2025-7696

CriticalRCE

Published: 19 July 2025

Published
19 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0326 87.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7696 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions through 1.2.3. The flaw stems from unsafe deserialization of untrusted input inside the verify_field_val() function, which permits an attacker to supply a serialized PHP object. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the vulnerability over the network by sending a crafted request that triggers object injection. When the Contact Form 7 plugin is also present, a usable POP chain allows the injected object to delete arbitrary files on the server. Successful exploitation can therefore produce denial of service or, when wp-config.php is removed, remote code execution.

A fix is available in the plugin repository; the referenced changeset and updated release address the deserialization flaw. Site administrators should apply the newest version of the integration plugin and ensure Contact Form 7 is also current.

EPSS for the CVE remains flat at 0.0326 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes…

more

it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

PHP object injection in unauthenticated public-facing WordPress plugin directly enables remote exploitation for RCE/file deletion via deserialization.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502
CVE-2026-40044Shared CWE-502

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the PHP object injection vulnerability by requiring timely patching of the affected plugin versions up to 1.2.3.

prevent

Prevents exploitation via deserialization of untrusted input in verify_field_val() by enforcing input validation at externally-facing interfaces.

prevent

Prevents installation of the vulnerable WordPress plugin, eliminating exposure to the object injection and associated POP chain risks.

References