CVE-2025-7384: Critical PHP Object Injection in WordPress Plugin

A critical vulnerability has been found in the Database for Contact Form 7, WPForms, and Elementor forms WordPress plugin. Since this is a backend-only plugin, it is not directly detectable through standard search dorks. Supported frontend plugins could help determine the scope. However, only about 1% of hosts identified this way are actually vulnerable.

🔍 Netlas: https://nt.ls/Be3g6
ℹ️ Advisory: https://nt.ls/RoI8t

🎉 Happy Independence Day, India! 🇮🇳

Today we celebrate freedom, unity, and the courage to protect what matters.
To all our friends across the globe — here’s to peace, respect, and security for every nation. 🌍💻

Love from the Brut Security family to yours. ❤️

Hey Hunter's,
DarkShadow here back again, just look at this crazy one! I see someone find this crazy DOS🔥

Many GraphQL endpoints allow complex queries without auth. If protections like depth limits are missing.
Server will try to resolve it = CPU spike or crash (DOS).

Show your love Guy's ❤️

✅To detect Credit & Debit Card Number Leakage use this Nuclei Template - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/miscellaneous/credit-card-number-detect.yaml

Hey Hunter's,
DarkShadow here back again, just dropping a unique method to bypass waf for XSS 🔥

Waf Blocked ❌
javascript:alert()

Waf welcome ✅
javascript:new Functiondocument.body.style.background="red"

✔️ If waf Blocked additional functions then try to change the background color💥

#bugbountytips #xss

Shodan.io $5 Lifetime Membership sale is live for the next 24 hours: account.shodan.io/billing/member

Go Grab it Now ✨

Hunter's, DarkShadow here!

One liner for finding files

subfinder -d domain.com -silent | \
while read host; do \
 for path in /config.js /config.json /app/config.js /settings.json /database.json /firebase.json /.env /.env.production /api_keys.json /credentials.json /secrets.json /google-services.json /package.json /package-lock.json /composer.json /pom.xml /docker-compose.yml /manifest.json /service-worker.js; do \
  echo "$host$path"; \
 done; \
done | httpx -mc 200

#bugbountytips

Hunter's, the vulnerability was SSRF loading AWS cloud access.

and effects:

IITE – Institute of Information Technology & Education: Access to confidential student information, assessment data, and internal records.

MUHS – Maharashtra University of Health Sciences: Exposure of examination content, student records, and academic documents.

GSEB – Gujarat Secondary & Higher Secondary Education Board: Exposure of sensitive student records, exam papers, hall tickets, and related educational data.

RGUHS – Rajiv Gandhi University of Health Sciences: Access to examination papers, student records, and other confidential academic information.

i have a video POC wanna see how i was able exploit this bug!?

And don't forget to follow me 👉🏼 x.com/darkshadow2bd


#ssrf