Impact
Unauthenticated PHP Object Injection is disclosed in the WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for versions 1.2.1 and earlier. The flaw allows a remote attacker to craft malicious serialized data that is deserialized by the plugin, enabling execution of arbitrary PHP code. The potential impact includes full compromise of the web server, data theft, defacement, or further lateral movement, affecting confidentiality, integrity, and availability of the site.
Affected Systems
The vulnerability affects the CRM Perks integration plugin named WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms. Any WordPress installation running this plugin at version 1.2.1 or lower is impacted. Later releases (1.2.2+) contain the patch.
Risk and Exploitability
With a CVSS score of 9.8 the risk is critical, yet the EPSS score of <1% suggests that active exploitation is uncommon at present. The flaw is not listed in CISA’s KEV catalog. Because authentication is not required, an attacker can exploit the flaw simply by submitting crafted form data through any exposed form that the plugin handles. If successfully exploited, the attacker can execute PHP code with the permissions of the web server.
OpenCVE Enrichment