Plattform
wordpress
Komponente
contact-form-cfdb7
Behoben in
1.3.3
CVE-2025-4665 is a critical vulnerability affecting the Contact Form CFDB7 WordPress plugin. This vulnerability allows for SQL injection, which can cascade into insecure deserialization (PHP Object Injection) due to insufficient input validation. Successful exploitation could lead to unauthorized access, data modification, or even complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.2, and a patch is available in version 1.3.3.
The SQL injection vulnerability in Contact Form CFDB7 allows attackers to inject malicious SQL queries into the plugin's backend. This can be exploited to bypass authentication, retrieve sensitive data (user credentials, contact information, form submissions), modify database records, or even execute arbitrary commands on the server. The cascading insecure deserialization further amplifies the impact, enabling attackers to inject arbitrary PHP objects, potentially leading to remote code execution. Given the widespread use of WordPress and contact form plugins, a successful exploitation of this vulnerability could have a significant impact on numerous websites and their users.
CVE-2025-4665 was publicly disclosed on 2025-10-28. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and the ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Websites using the Contact Form CFDB7 plugin, particularly those running older, unpatched versions (0.0.0–1.3.2), are at significant risk. Shared hosting environments where multiple websites share the same server infrastructure are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / plugin: Use wp-cli to check the installed plugin version:
wp plugin list --status=active | grep Contact Form CFDB7• wordpress / plugin: Search plugin files for vulnerable code patterns (e.g., $GET, $POST without proper sanitization) using grep.
• generic web: Monitor access logs for unusual SQL query patterns targeting the plugin's endpoints. Look for UNION SELECT or other common SQL injection techniques.
• generic web: Check response headers for unexpected PHP object serialization or deserialization activity.
disclosure
Exploit-Status
EPSS
0.17% (38% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-4665 is to immediately upgrade the Contact Form CFDB7 plugin to version 1.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL injection attempts targeting the plugin's endpoints. Regularly review and sanitize all user inputs within the plugin to prevent future vulnerabilities. Monitor WordPress logs for suspicious SQL queries or PHP object creation activity.
Actualice el plugin Contact Form CFDB7 a una versión posterior a la 1.3.2. Esto solucionará la vulnerabilidad de inyección SQL y deserialización insegura. Puede actualizar el plugin directamente desde el panel de administración de WordPress.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-4665 is a critical SQL injection and insecure deserialization vulnerability in the Contact Form CFDB7 WordPress plugin, allowing attackers to potentially gain unauthorized access and control.
If you are using Contact Form CFDB7 versions 0.0.0 through 1.3.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Contact Form CFDB7 plugin to version 1.3.3 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin and implement WAF rules.
While no active exploitation campaigns have been definitively confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.