CVE-2025-7697: 
WordPress vulnerability analysis and mitigation

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 1.1.1. The vulnerability was discovered on July 18, 2025, and assigned CVE-2025-7697. The issue exists in the verifyfieldval() function where untrusted input can be deserialized, allowing unauthenticated attackers to inject PHP objects (NVD).

The vulnerability stems from unsafe deserialization of untrusted input within the verifyfieldval() function. When combined with a POP chain present in the Contact Form 7 plugin, attackers can delete arbitrary files, potentially leading to denial of service or remote code execution if the wp-config.php file is deleted. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the affected system, which can result in denial of service. If attackers manage to delete the wp-config.php file, it could lead to remote code execution. The high CVSS score of 9.8 indicates critical severity with potential for complete system compromise (NVD).

The vulnerability has been patched in version 1.1.2 of the plugin. Users are strongly advised to update to this version immediately. The update specifically addresses the PHP Object Injection vulnerability issue (WordPress Plugin).