A critical PHP Object Injection vulnerability in a popular WordPress contact form database plugin could allow unauthenticated attackers to execute code or delete files.

This vulnerability occurs due to the deserialization of untrusted input within the download_csv function. An unauthenticated attacker can inject a malicious PHP Object. While the plugin itself does not contain a "Property-Oriented Programming" (POP) chain, the presence of other plugins or themes with a POP chain could enable remote code execution or arbitrary file deletion.

If exploited, this could lead to the total compromise of the WordPress site, including data theft and defacement. Because many sites use multiple plugins, the probability of a usable POP chain being present is high. The CVSS score of 9.8 reflects the potential for unauthenticated remote code execution.

Immediate Action: Update the "Database for Contact Form 7, WPforms, Elementor forms" plugin to the latest version (above 1.4.7) immediately.

Proactive Monitoring: Use a security scanner to check for unauthorized file changes and monitor for suspicious requests targeting the download_csv functionality.

Compensating Controls: Utilize a Web Application Firewall (WAF) with rules specifically designed to block PHP Object Injection and serialized data patterns in GET/POST requests.

Public Exploit Available: No

The high CVSS score and the unauthenticated nature of this vulnerability make it a priority for WordPress administrators. Even if no POP chain is currently identified, the risk of "latent" exploitation remains high. Update the plugin immediately to protect your web environment from potential takeover.