Description
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection is disclosed in the WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for versions 1.2.1 and earlier. The flaw allows a remote attacker to craft malicious serialized data that is deserialized by the plugin, enabling execution of arbitrary PHP code. The potential impact includes full compromise of the web server, data theft, defacement, or further lateral movement, affecting confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability affects the CRM Perks integration plugin named WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms. Any WordPress installation running this plugin at version 1.2.1 or lower is impacted. Later releases (1.2.2+) contain the patch.

Risk and Exploitability

With a CVSS score of 9.8 the risk is critical, yet the EPSS score of <1% suggests that active exploitation is uncommon at present. The flaw is not listed in CISA’s KEV catalog. Because authentication is not required, an attacker can exploit the flaw simply by submitting crafted form data through any exposed form that the plugin handles. If successfully exploited, the attacker can execute PHP code with the permissions of the web server.

Generated by OpenCVE AI on June 18, 2026 at 00:28 UTC.

Remediation

Vendor Solution

Update the WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin to the latest available version (at least 1.2.2).


OpenCVE Recommended Actions

  • Update the WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin to version 1.2.2 or later.
  • If an update cannot be performed immediately, disable the plugin or remove its integration features to prevent exposure.
  • Deploy a web application firewall or input validation rules that reject malicious serialized input on form submissions, and monitor traffic for anomalous activity.

Generated by OpenCVE AI on June 18, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
Title WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Crm Perks Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:53:47.012Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49104

cve-icon Vulnrichment

Updated: 2026-06-16T12:53:43.307Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:20.400

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data