Arshid Contact Form CFDB7
Moderate fix1 remedy
cpe:2.3:a:ciphercoin:contact_form_7_database_addon_-_cfdb7:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 1.3.2
WordPress Contact Form CFDB7 SQL Injection Vulnerability Leading to Insecure Deserialization
Vulnerability
Patched
A pre-authentication SQL injection vulnerability has been identified in the WordPress plugin Contact Form CFDB7, affecting versions through 1.3.2. This vulnerability arises from inadequate validation of user input in plugin endpoints, allowing crafted data to manipulate backend SQL queries. Exploitation of this SQL injection can escalate into insecure deserialization, enabling arbitrary object injection in PHP. The vulnerability is remotely exploitable without authentication, but requires a specific interaction with the affected endpoint to trigger.
Impact
Exploitation of this vulnerability could allow an unauthenticated attacker to access and exfiltrate sensitive database information, modify or corrupt records, and potentially execute remote code on the host, especially in environments with common PHP object injection gadget chains.
Remediation
Users can update to WordPress CFDB7 plugin version 1.3.3 to address this vulnerability.
Added: Oct 29, 2025, 12:17 AM
Updated: Oct 29, 2025, 12:17 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
8.1exploitability
6.5remediation
7.7relevance
0.8threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.