Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress, in all versions prior to 1.2.4. The vulnerability arises from the deserialization of untrusted input in the verify_field_val() function, allowing unauthenticated attackers to inject PHP objects. Exploitation of this vulnerability could lead to the deletion of arbitrary files, causing a denial-of-service condition or potentially allowing remote code execution if the wp-config.php file is removed.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which can be leveraged to execute arbitrary code or delete files, depending on the injected object's behavior. In this case, deleting the wp-config.php file could lead to remote code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted request that includes serialized PHP objects to a WordPress site with the vulnerable plugin installed. This can be done using a tool like Burp Suite or by writing a custom script that sends the serialized object payload to the site.

Remediation

Users are advised to update the plugin to version 1.2.4 or later.