A new security vulnerability has been found in a popular WordPress plugin called “Database for Contact Form 7, WPForms, Elementor Forms.” This new security vulnerability could let attackers take over more than 70,000 websites that are running WordPress with that plugin installed.
The flaw is known as CVE-2025-7384. It has a very high severity score of 9.8. All versions of the plugin up to 1.4.3 are at risk.
This problem is a “PHP Object Injection.” It happens because the plugin processes data from users without checking if it’s safe. Specifically, a function named `get_lead_detail` can be tricked into running harmful code.
Attackers don’t need any special login details or for a user to do anything for this to work. It’s a remote attack, meaning they can do it from anywhere on the internet.
The plugin tries to understand “serialized PHP objects,” which are like packaged bits of code. But it doesn’t check if these packages are good or bad.
If you also have the “Contact Form 7” plugin installed, the situation gets even worse. This combination gives attackers a way to delete important files on your website. They could, for example, delete your `wp-config.php` file. This file holds key settings for your WordPress site.
If `wp-config.php` is deleted, your WordPress site thinks it needs to be set up again. An attacker can then step in, complete the setup, and gain full control over your site as an administrator. This can lead to your entire website being taken over.
Why This Is Serious?
This vulnerability is extremely Easy to exploit: Attackers don’t need much skill to use this flaw.
No login needed: The attackers don’t need an account or password in order to exploit the vulnerable WordPress instalation.
Big impact: Hackers can get full control of your WordPress site, steal data, or break your website.
The most important step is to update your plugin.
1. Update Immediately: Go to your WordPress dashboard. Find the “Database for Contact Form 7, WPForms, Elementor Forms” plugin and update it to version 1.4.4 or newer. This new version includes the fix.
2. Check Other Plugins: Make sure all your other plugins are updated and from trusted sources.
3. Review Settings: Always check that any data people put into your forms is properly checked and cleaned by your plugins.
About the Plugin Developer
The company behind this plugin, CRM Perks, has had security issues with their WordPress plugins before. They usually release fixes quickly, but the repeated high-severity flaws show there are ongoing challenges with how they write and check their code for security.
It’s vital to update your plugin right away to protect your website.
