Description
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator views the stored entry. This is an incomplete fix of CVE-2025-7384 and CVE-2026-2599, whose deserialization paths were hardened while the entry-editor file-field path was missed.
Published:
2026-07-13
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Mon, 13 Jul 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator views the stored entry. This is an incomplete fix of CVE-2025-7384 and CVE-2026-2599, whose deserialization paths were hardened while the entry-editor file-field path was missed. | |
| Title | Database for Contact Form 7, WPforms, Elementor forms < 1.5.2 - Unauthenticated PHP Object Injection via Entry File Field | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-13T06:00:01.807Z
Reserved: 2026-06-12T12:57:19.880Z
Link: CVE-2026-12081
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.