CVE-2025-7384 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the crmperks Database plugin for Contact Form 7, WPforms, and Elementor forms on WordPress. The flaw exists in the get_lead_detail function, where untrusted input is deserialized without proper validation or sanitization, allowing unauthenticated attackers to perform PHP Object Injection. This injection can leverage a Property Oriented Programming (POP) gadget chain present in the Contact Form 7 plugin, facilitating arbitrary file deletion on the server. Specifically, attackers can delete the wp-config.php file, which is crucial for WordPress configuration, potentially causing denial of service or enabling remote code execution if the system attempts to recreate or execute code based on missing or manipulated configuration files. The vulnerability affects all plugin versions up to and including 1.4.3. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making exploitation straightforward. The vulnerability impacts confidentiality, integrity, and availability severely, as attackers can execute arbitrary code or disrupt service. Although no exploits have been observed in the wild yet, the high CVSS score (9.8) indicates a critical threat that demands immediate attention. The lack of available patches at the time of publication increases the urgency for mitigation.

The impact of CVE-2025-7384 is severe for organizations using WordPress sites with the affected crmperks Database plugin alongside Contact Form 7, WPforms, or Elementor forms. Successful exploitation can lead to complete compromise of the web server through remote code execution, allowing attackers to execute arbitrary commands, steal sensitive data, or pivot within the network. Deletion of wp-config.php can cause site downtime, loss of configuration, and potential data loss, severely affecting availability and integrity. Given the widespread use of these popular WordPress plugins, many websites including e-commerce, corporate, and governmental portals are at risk. The vulnerability's unauthenticated and network-exploitable nature means attackers can target sites en masse without needing credentials or user interaction, increasing the likelihood of automated attacks and wormable spread. This can result in significant reputational damage, financial loss, and regulatory consequences for affected organizations worldwide.

1. Immediate upgrade to a patched version of the crmperks Database plugin once available; monitor vendor announcements closely. 2. If patches are not yet released, disable or remove the crmperks Database plugin temporarily to eliminate the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious deserialization payloads and PHP Object Injection attempts targeting the get_lead_detail function. 4. Restrict file system permissions to prevent the web server user from deleting critical files like wp-config.php, limiting the impact of file deletion attempts. 5. Monitor web server and application logs for unusual activity, especially POST requests to form endpoints and errors related to deserialization or file operations. 6. Employ runtime application self-protection (RASP) tools that can detect and block unsafe deserialization at runtime. 7. Conduct a thorough security audit of all WordPress plugins and remove or replace those that are unmaintained or vulnerable. 8. Educate site administrators on the risks of installing plugins from untrusted sources and the importance of timely updates. 9. Use intrusion detection systems (IDS) to alert on exploitation attempts targeting this vulnerability. 10. Regularly back up WordPress site files and databases to enable rapid recovery in case of compromise.