Description
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection present in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms up to version 1.1.4. An attacker can supply crafted data through the contact form endpoints, causing PHP to instantiate malicious objects that can execute code on the server. The flaw is a classic object injection weakness classified as CWE‑502; it enables the attacker to run arbitrary code on the site without authentication.

Affected Systems

The WordPress plugin WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms distributed by CRM Perks is affected when the installed version is 1.1.4 or older. Any WordPress installation that uses these form plugins and has not updated to at least 1.1.5 is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as critical, while the EPSS score of less than 1% shows a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The usual attack path is remote, through publicly reachable form submissions: no user authentication is required, and an attacker can trigger the injection by posting a specially crafted payload to the form endpoint, potentially achieving code execution.

Generated by OpenCVE AI on June 18, 2026 at 03:18 UTC.

Remediation

Vendor Solution

Update the WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin to the latest available version (at least 1.1.5).


OpenCVE Recommended Actions

  • Update the WP Zendesk plugin to version 1.1.5 or later.
  • If an update cannot be applied immediately, temporarily disable or remove the affected form shortcodes or the entire plugin until the patch is available.
  • Monitor site logs for anomalous POST requests to the contact form endpoints to detect potential exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
Title WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Crmperks Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T21:38:33.159Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49105

cve-icon Vulnrichment

Updated: 2026-06-15T21:38:27.471Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:20.517

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:30:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data