Introduction
Attackers can compromise WordPress sites running Contact Form CFDB7 without needing credentials, potentially leading to full site takeover. With over 600,000 installations, this plugin's vulnerability has broad implications for data integrity and site security across the WordPress ecosystem.
Contact Form CFDB7 is a widely used WordPress plugin that stores Contact Form 7 submissions in the database. Its popularity makes any critical vulnerability in its codebase a significant concern for site operators and service providers.
Technical Information
CVE-2025-4665 is a pre-authentication SQL injection vulnerability in Contact Form CFDB7 versions up to and including 1.3.2. The root cause is insufficient input validation in one or more plugin endpoints that process user-supplied data. Attackers can submit crafted payloads to these endpoints, resulting in direct manipulation of backend SQL queries. The lack of proper sanitization or use of prepared statements allows the injection of arbitrary SQL, which can be used to extract or modify database contents.
What makes this vulnerability especially severe is its potential to escalate into insecure deserialization (PHP object injection). If attacker-controlled input is stored in the database and later unserialized by the plugin or another WordPress component, it can lead to arbitrary object injection. This opens the door to remote code execution if suitable gadget chains are present in the environment. The vulnerability does not require authentication but does require interaction with a specific vulnerable endpoint. No vulnerable code snippets or proof of concept details are publicly available at this time.
Affected Systems and Versions
- Product: Contact Form CFDB7 (WordPress plugin)
- Affected Versions: Up to and including 1.3.2
- Only sites with this plugin enabled and not updated beyond 1.3.2 are vulnerable
Vendor Security History
Contact Form CFDB7 has a history of security issues, including:
- Previous SQL injection vulnerabilities (e.g., CVE-2021-01-21)
- CSV injection (CWE-1336) in version 1.2.5.5
- Unauthenticated stored XSS (CVE-2025-6740) in versions up to 1.3.1
The vendor has released patches for past vulnerabilities, but input validation flaws have recurred. Patch response times have varied, and details on the fix for CVE-2025-4665 are not yet public.
