CVE-2025-4665

Name of the Vulnerable Software and Affected Versions Contact Form CFDB7 versions up to and including 1.3.2

Description The Contact Form CFDB7 plugin for WordPress is affected by a pre-authentication SQL injection that can lead to insecure deserialization (PHP Object Injection). Insufficient validation of user input in plugin endpoints allows crafted input to influence backend queries, potentially escalating into unsafe deserialization and enabling arbitrary object injection in PHP. This issue is remotely exploitable without authentication, requiring a crafted interaction with the affected endpoint to trigger the issue.

Recommendations Update Contact Form CFDB7 to a version newer than 1.3.2.