Description
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via PHP Object Injection
Action: Update Plugin
AI Analysis

Impact

The vulnerability allows unauthenticated attackers to inject serialized PHP objects through the download_csv endpoint of the Database for Contact Form 7, WPforms, Elementor forms plugin. The injection itself does not contain a vulnerable object, so a successful exploit depends on the presence of a remote object property (POP) chain in the system. If such a chain exists, an attacker may delete files, exfiltrate data, or execute arbitrary code, resulting in a compromise of confidentiality, integrity, and availability of the affected site.

Affected Systems

WordPress sites using the crmperks "Database for Contact Form 7, WPforms, Elementor forms" plugin in versions 1.4.7 or earlier are affected. No explicit sub-version details are provided beyond the maximum vulnerable version 1.4.7.

Risk and Exploitability

The CVSS score of 9.8 categorizes this as a critical vulnerability. The EPSS score indicates a very low probability of exploitation (<1%), and it is not listed in the CISA KEV catalog. The likely attack vector is a direct, unauthenticated HTTP request to the download_csv function, where a crafted payload would cause object deserialization. Success requires a pre‑existing POP chain, such as another plugin or theme that contains a vulnerable class. Without that additional component the vulnerability is effectively mitigated, but the potential for catastrophic impact remains if a POP chain is present.

Generated by OpenCVE AI on April 15, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Database for Contact Form 7, WPforms, Elementor forms plugin to a version newer than 1.4.7 once a patched release becomes available.
  • If an immediate upgrade is impossible, restrict access to the download_csv endpoint by disabling the form entry export feature or securing the URL with authentication or access controls.
  • Audit installed plugins and themes for known POP chains and remove or update any vulnerable components.

Generated by OpenCVE AI on April 15, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 07 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks database For Contact Form 7, Wpforms, Elementor Forms
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Crmperks Database For Contact Form 7, Wpforms, Elementor Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:18.125Z

Reserved: 2026-02-16T20:39:16.486Z

Link: CVE-2026-2599

cve-icon Vulnrichment

Updated: 2026-03-05T14:16:26.618Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T13:16:30.167

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses