Download

|

|

Critical Vulnerability Discovered: “Database for Contact Form 7, WPForms, Elementor Forms” Plugin – What You Must Know

The WP Support Agency > News and Tips > WordPress bugs and security issues > Critical Vulnerability Discovered: “Database for Contact Form 7, WPForms, Elementor Forms” Plugin – What You Must Know
wordpress contact form plugin security alert

Latest WordPress Security Alert: Critical Risk in Contact Form Entries Plugin

Running a WordPress website should be straightforward, but the latest news highlights how easily security can be compromised. The Database for Contact Form 7, WPForms, Elementor Forms plugin, used to store contact form submissions, has been identified with a critical vulnerability affecting over 70,000 sites worldwide.

What’s Happened?

  • PHP Object Injection vulnerability was discovered in all plugin versions up to and including 1.4.3.
  • This flaw allows attackers (even those not logged in) to inject malicious code, potentially delete key site files such as wp-config.php, and even execute arbitrary code.
  • If your site uses both this entries plugin and Contact Form 7, the risk is especially heightened due to an exploitable chain (“POP chain”) during deserialization.

How Can You Check If You’re Affected?

  1. Identify if you use the plugin:
    In your WordPress dashboard, look for “Database for Contact Form 7, WPForms, Elementor Forms” under Plugins.
  2. Check your version:
    If the number shown is 1.4.3 or below, your website is vulnerable.
    The patched version is 1.4.5—anything higher than 1.4.3 is currently safe.
  3. Do you use Contact Form 7 as well?
    If so, you must act urgently as the exploit risk increases.

When will a proper patch be available to fix this plugin vulnerability?

he critical vulnerability in the “Database for Contact Form 7, WPForms, Elementor Forms” plugin has already been addressed by the developers. The official patch is included in version 1.4.4 and newer releases. The latest version available as of August 2025 is 1.4.5, which is safe to use.

If your site is running any version up to and including 1.4.3, it remains vulnerable. You should update your plugin to at least 1.4.4 immediately, although using the most current version (1.4.5) is recommended for maximum protection.

What Should You Do Next?

  • Update Immediately:
    Visit the Plugins page in WordPress, locate the affected plugin, and update to the latest version (now 1.4.5).
  • Remove if not needed:
    If you no longer use this plugin, deactivate and delete it from your site to eliminate any residual risk.
  • Review site backups:
    Ensure you have recent, secure backups in case restoration is required.

How The WP Support Agency Protects Clients

If you’re a client of The WP Support Agency, there’s no need to panic. Our proactive approach means:

  • Virtual patching: Newly discovered threats are blocked before official patches are available.
  • Rapid patch management: All official plugin updates and security fixes are applied promptly.
  • Layered security & monitoring: Advanced protection and around-the-clock monitoring defend against the whole spectrum of risks.

Your website is in safe hands – you won’t need to stress every time a new threat emerges.

Previous Post