CVE-2025-7696: 
WordPress vulnerability analysis and mitigation

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 1.2.3. The vulnerability was discovered on July 19, 2025, and affects the verifyfieldval() function. This security issue allows unauthenticated attackers to perform PHP Object Injection through deserialization of untrusted input (NVD).

The vulnerability exists in the verifyfieldval() function where untrusted input is deserialized without proper validation. The issue is tracked as CWE-502 (Deserialization of Untrusted Data). The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated attackers to inject PHP Objects. When combined with a POP chain present in the Contact Form 7 plugin, attackers can delete arbitrary files, potentially leading to denial of service or remote code execution if the wp-config.php file is deleted (NVD).

The vulnerability has been patched in version 1.2.4 of the plugin. Users are strongly advised to update to this version immediately. The fix addresses the PHP Object Injection vulnerability by removing the unsafe deserialization of untrusted input (WordPress Plugin).