CVE-2025-7697

216.73.216.6

· Published 19/07/2025 05:15 · Modified 19/07/2025 05:15

Labels: CVE-2025-7697 2025-07-19 CVE-2025-7697 CWE-502 [email protected]

Essential information

Published: 19/07/2025 05:15
Modified: 19/07/2025 05:15
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
wordpress / google sheets integration	`cpe:2.3:a:wordpress:google_sheets_integration::::::wordpress::*`
contact form 7 / contact form 7	`cpe:2.3:a:contact_form_7:contact_form_7::::::wordpress::*`
wpforms / wpforms	`cpe:2.3:a:wpforms:wpforms::::::wordpress::*`
elementor / elementor	`cpe:2.3:a:elementor:elementor::::::wordpress::*`
ninja forms / ninja forms	`cpe:2.3:a:ninja_forms:ninja_forms::::::wordpress::*`