Database for Contact Form 7, WPforms, Elementor Forms PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Database for Contact Form 7, WPforms, and Elementor Forms plugin for WordPress, affecting all versions through 1.4.7. The vulnerability arises from the deserialization of untrusted input in the 'download_csv' function, allowing unauthenticated attackers to inject a PHP object. While no known payload execution chain exists within the vulnerable software itself, the vulnerability could be exploited if another plugin or theme with a suitable payload execution chain is installed, potentially leading to arbitrary file deletion, sensitive data exposure, or code execution, depending on the nature of the injected object and the presence of an exploitation chain.

Impact

Exploitation of this vulnerability could allow for PHP Object Injection, with the potential for arbitrary file deletion, execution of injected code, or exposure of sensitive information, especially if an additional plugin or theme with a suitable payload execution chain is installed.

Reproduction

The vulnerability can be reproduced by sending a request to the 'download_csv' function with a crafted payload that exploits the deserialization of untrusted input. This can be done by manipulating the 'vx_crm_key' parameter to inject a PHP object.

Remediation

Users are advised to update the Database for Contact Form 7, WPforms, Elementor Forms plugin to version 1.4.8 or later.