CVE-2025-7384

Name of the Vulnerable Software and Affected Versions: Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.3

Description: The plugin is susceptible to a PHP Object Injection due to the deserialization of untrusted input within the get lead detail function. This allows unauthenticated attackers to inject a PHP Object. The presence of a PHP Object Injection (POP) chain in the Contact Form 7 plugin, often used in conjunction with this plugin, enables attackers to delete arbitrary files, potentially leading to a denial of service or remote code execution, particularly when the wp-config.php file is targeted. Approximately 70,000 sites are estimated to be affected.

Recommendations: Versions prior to 1.4.4 are vulnerable. Update to a version greater than 1.4.3.