CVE-2025-7384: 
WordPress vulnerability analysis and mitigation

The Contact Form Entries WordPress plugin before version 1.4.4 contains a PHP Object Injection vulnerability. The issue was discovered in August 2025 and affects the plugin's handling of serialized data in form entries. The vulnerability was assigned CVE-2025-7384 (Ubuntu Notice).

The vulnerability exists in the plugin's data handling functionality where unsanitized serialized data from form entries could be processed insecurely. The issue specifically relates to the maybe_unserialize() function in the plugin's codebase that did not properly validate serialized input before processing it. This was fixed in version 1.4.4 by adding validation checks based on entry creation timestamps (WordPress Plugin).

If successfully exploited, this vulnerability could allow an attacker to inject malicious PHP objects into the application, potentially leading to remote code execution on the affected WordPress installation. The vulnerability affects all installations of the Contact Form Entries plugin prior to version 1.4.4.

The vulnerability has been patched in version 1.4.4 of the Contact Form Entries plugin. Site administrators should update to this version immediately. The fix implements proper validation of serialized data by checking entry creation timestamps before unserialization (WordPress Plugin).