cleantalk
Vulnerabilities and Security Researches

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms, CVE-2025-7696

CVE, Research URL

CVE-2025-7696

Home page URL

Security reports for Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms

Application

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms

Published on
Jul 19, 2025
Research Description
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
Affected versions
Min -, max 1.2.4.
Status
vulnerable
Previous vulnerability researches
Wishlist for WooCommerce: Multi Wishlists Per Customer (CVE-2024-56228) , Dec 23, 2024
Wishlist for WooCommerce: Multi Wishlists Per Customer (CVE-2025-48237) , May 27, 2025
Wishlist for WooCommerce: Multi Wishlists Per Customer (CVE-2024-10519) , Nov 24, 2024
Wishlist for WooCommerce: Multi Wishlists Per Customer (CVE-2025-49319) , Jul 18, 2025
Wishlist for WooCommerce: Multi Wishlists Per Customer (CVE-2024-13774) , Mar 08, 2025
New vulnerability
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms (CVE-2025-7696) , Jul 21, 2025
Temporarily Hidden Content (CVE-2025-7658) , Jul 21, 2025
Testimonial Post type (CVE-2025-5800) , Jul 21, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-7369) , Jul 21, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-7354) , Jul 21, 2025