CVE-2025-7697

Name of the Vulnerable Software and Affected Versions Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress versions up to and including 1.1.1

Description The plugin is susceptible to PHP Object Injection due to deserialization of untrusted input within the verify field val() function. This allows unauthenticated attackers to inject a PHP Object. The presence of a POP chain in the Contact Form 7 plugin, often used in conjunction with the vulnerable plugin, enables attackers to delete arbitrary files, potentially leading to a denial of service or remote code execution if the wp-config.php file is deleted.

Recommendations Versions up to and including 1.1.1 are affected. Update the Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress to a version newer than 1.1.1.