A critical security vulnerability has been identified in the popular WordPress plugin 'Database for Form 7, WPforms, Elementor forms,' potentially exposing over 70,000 websites to severe remote code execution (RCE) attacks. The vulnerability, tracked as CVE-2025-7384, has a maximum Common Vulnerability Scoring System (CVSS) score of 9.8, highlighting the significant risk associated with this flaw. According to cybersecurity experts, 'this vulnerability allows unauthenticated attackers to inject malicious PHP objects into the application without requiring any user credentials' [1]. The issue lies in the plugin's get_lead_detail function, which fails to properly sanitize user input before deserialization, creating an avenue for exploitation.
The vulnerability's implications are further exacerbated by its interaction with the Form 7 plugin, which is frequently used alongside the affected database plugin. This combination enables attackers to escalate their access, potentially leading to arbitrary file deletion and complete site compromise. Specifically, the deletion of the wp-config.php file poses a significant risk, as it could result in a denial of service or allow attackers to achieve remote code execution on the server [2].
This vulnerability was publicly disclosed on August 14, 2025, prompting immediate concern within the WordPress community. Security researchers noted that 'the combination of this vulnerability with existing attack chains can lead to catastrophic consequences for website owners' [3]. In response, the plugin developers released patch version 1.4.4 to address the issue, emphasizing the importance of updating to this version to mitigate the risks associated with the vulnerability.
The industry response has been swift, with many security professionals urging website administrators to apply the patch immediately. 'The availability of public exploit code significantly lowers the barrier for attackers,' warned a cybersecurity analyst [4]. As a result, the security community is closely monitoring the situation, with increased scanning activities targeting vulnerable sites reported by threat intelligence platforms.
To protect against potential exploitation, website administrators are advised to update their plugins to the latest version as soon as possible. The WordPress security team has provided guidance for patching and recommends regular security assessments to identify and remediate vulnerabilities. 'Immediate deployment of the patch is critical,' stated a representative from the WordPress security team [5]. As the situation develops, maintaining vigilance and ensuring that all security measures are up to date will be essential for protecting these websites from potential attacks.