Platform
wordpress
Component
contact-form-cfdb7
Fixed in
1.3.3
CVE-2025-4665 is a critical vulnerability affecting the Contact Form CFDB7 WordPress plugin. This vulnerability allows for SQL injection, which can cascade into insecure deserialization (PHP Object Injection) due to insufficient input validation. Successful exploitation could lead to unauthorized access, data modification, or even complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.2, and a patch is available in version 1.3.3.
The SQL injection vulnerability in Contact Form CFDB7 allows attackers to inject malicious SQL queries into the plugin's backend. This can be exploited to bypass authentication, retrieve sensitive data (user credentials, contact information, form submissions), modify database records, or even execute arbitrary commands on the server. The cascading insecure deserialization further amplifies the impact, enabling attackers to inject arbitrary PHP objects, potentially leading to remote code execution. Given the widespread use of WordPress and contact form plugins, a successful exploitation of this vulnerability could have a significant impact on numerous websites and their users.
CVE-2025-4665 was publicly disclosed on 2025-10-28. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and the ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-4665 is to immediately upgrade the Contact Form CFDB7 plugin to version 1.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL injection attempts targeting the plugin's endpoints. Regularly review and sanitize all user inputs within the plugin to prevent future vulnerabilities. Monitor WordPress logs for suspicious SQL queries or PHP object creation activity.
Actualice el plugin Contact Form CFDB7 a una versión posterior a la 1.3.2. Esto solucionará la vulnerabilidad de inyección SQL y deserialización insegura. Puede actualizar el plugin directamente desde el panel de administración de WordPress.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4665 is a critical SQL injection and insecure deserialization vulnerability in the Contact Form CFDB7 WordPress plugin, allowing attackers to potentially gain unauthorized access and control.
If you are using Contact Form CFDB7 versions 0.0.0 through 1.3.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Contact Form CFDB7 plugin to version 1.3.3 or later to resolve the vulnerability. If upgrading is not possible, temporarily disable the plugin and implement WAF rules.
While no active exploitation campaigns have been definitively confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.