Database for Contact Form 7, WPforms, Elementor Forms PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Database for Contact Form 7, WPforms, and Elementor Forms plugin for WordPress, affecting all versions through 1.4.3. The vulnerability arises from the deserialization of untrusted input in the 'get_lead_detail' function, allowing unauthenticated attackers to inject PHP objects. Exploitation of this vulnerability is facilitated by a Property-Oriented Programming (POP) chain present in the Contact Form 7 plugin, which could be used to delete arbitrary files. This file deletion could result in a denial-of-service condition or potentially allow for remote code execution if the deleted file is critical, such as 'wp-config.php'.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with the potential for arbitrary file deletion. If a critical file like 'wp-config.php' is deleted, it could result in a denial-of-service condition or allow for remote code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted request that exploits the 'get_lead_detail' function. This request must include serialized data that, when deserialized, injects a PHP object. The presence of a POP chain in the Contact Form 7 plugin can then be used to delete arbitrary files on the server.

Remediation

Users are advised to update the plugin to version 1.4.4 or later.