CVE-2025-7696
Published: 19 July 2025
Summary
CVE-2025-7696 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions through 1.2.3. The flaw stems from unsafe deserialization of untrusted input inside the verify_field_val() function, which permits an attacker to supply a serialized PHP object. The issue is tracked as CWE-502 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the vulnerability over the network by sending a crafted request that triggers object injection. When the Contact Form 7 plugin is also present, a usable POP chain allows the injected object to delete arbitrary files on the server. Successful exploitation can therefore produce denial of service or, when wp-config.php is removed, remote code execution.
A fix is available in the plugin repository; the referenced changeset and updated release address the deserialization flaw. Site administrators should apply the newest version of the integration plugin and ensure Contact Form 7 is also current.
EPSS for the CVE remains flat at 0.0326 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21949
Vulnerability details
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes…
more
it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection in unauthenticated public-facing WordPress plugin directly enables remote exploitation for RCE/file deletion via deserialization.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PHP object injection vulnerability by requiring timely patching of the affected plugin versions up to 1.2.3.
Prevents exploitation via deserialization of untrusted input in verify_field_val() by enforcing input validation at externally-facing interfaces.
Prevents installation of the vulnerable WordPress plugin, eliminating exposure to the object injection and associated POP chain risks.