216.73.217.22

CVE-2025-4665

· Published 29/10/2025 00:15 · Modified 29/10/2025 00:15

Labels: CVE-2025-4665 2025-10-29CVE-2025-4665CWE-89[email protected]

Essential information

Published
29/10/2025 00:15
Modified
29/10/2025 00:15
Author
Creator
CVSS
9.6 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / contact form cfdb7 cpe:2.3:a:wordpress:contact_form_cfdb7:<1.3.2:*:*:*:*:*:*

References