Impact
An unauthenticated PHP Object Injection flaw has been discovered in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin, versions 1.1.4 and earlier. This weakness enables an attacker to inject malicious PHP objects into the application, which can lead to arbitrary code execution and complete compromise of the WordPress site. The vulnerability is classed as CWE‑502.
Affected Systems
The flaw affects the CRM Perks WP Insightly plugin that integrates with Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms. Any WordPress site running this plugin version 1.1.4 or earlier is vulnerable.
Risk and Exploitability
The CVSS score of 9.8 marks it as critical, and the EPSS score of less than 1% indicates a low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated request to a public form rendered by the plugin, where an attacker can craft payloads that trigger the object injection. Such an attack would give the attacker complete control over the server by executing PHP code.
OpenCVE Enrichment