CVE-2025-4665 affects the WordPress Contact Form 7 Database Addon CFDB7 plugin, specifically versions up to and including 1.3.2. The vulnerability is a pre-authentication SQL injection (CWE-89) that arises from insufficient validation of user-supplied input in the plugin’s endpoints. Attackers can send specially crafted payloads that manipulate backend SQL queries, enabling them to inject arbitrary SQL commands. This injection flaw cascades into an unsafe deserialization vulnerability (PHP Object Injection), where malicious serialized PHP objects can be injected and executed. This chain of vulnerabilities allows attackers to execute arbitrary code, escalate privileges, or manipulate data on the affected WordPress site. The vulnerability is remotely exploitable without requiring authentication but does require crafted interaction with the plugin’s endpoints, such as submitting malicious form data. The CVSS v3.1 score is 9.6 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. No official patch links are currently provided, and no known exploits have been observed in the wild. The vulnerability was reserved in May 2025 and published in October 2025 by Mandiant. Given the widespread use of WordPress and this popular addon, the vulnerability poses a significant risk to websites using CFDB7 for contact form data storage and management.

European organizations using WordPress sites with the Contact Form 7 Database Addon CFDB7 are at significant risk. Exploitation can lead to full compromise of website data confidentiality, including leakage of sensitive user-submitted information. Integrity of the website and its data can be compromised by unauthorized modification or deletion of database records. Availability may be impacted by denial-of-service conditions or malicious code execution. This can result in reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational disruptions. Public-facing websites of businesses, government entities, and NGOs in Europe that rely on this plugin for contact form data collection are particularly vulnerable. Attackers could leverage this vulnerability to pivot into internal networks or deploy further malware. The lack of authentication requirement lowers the barrier for exploitation, increasing the threat surface. The critical severity underscores the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediately identify and inventory all WordPress installations using the Contact Form 7 Database Addon CFDB7 plugin, especially versions up to 1.3.2. 2. Apply any available official patches or updates from the plugin vendor as soon as they are released. If no patch is available, consider disabling or uninstalling the vulnerable plugin to eliminate the attack vector. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the plugin’s endpoints, focusing on suspicious payloads and unusual POST requests to contact form submission URLs. 4. Conduct thorough security audits and code reviews of customizations involving the plugin to ensure no additional vulnerabilities exist. 5. Monitor web server and application logs for anomalous activity indicative of exploitation attempts, such as unexpected serialized PHP objects or unusual SQL query patterns. 6. Harden WordPress installations by restricting file permissions, disabling unnecessary PHP functions, and isolating the web server environment. 7. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 8. Consider implementing Content Security Policy (CSP) and other defense-in-depth measures to limit the impact of potential code execution. 9. Prepare incident response plans to quickly contain and remediate any detected exploitation. 10. Engage with cybersecurity vendors or managed security services for advanced threat detection and response capabilities.