Impact
The vulnerability is an unauthenticated PHP Object Injection present in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms up to version 1.1.4. An attacker can supply crafted data through the contact form endpoints, causing PHP to instantiate malicious objects that can execute code on the server. The flaw is a classic object injection weakness classified as CWE‑502; it enables the attacker to run arbitrary code on the site without authentication.
Affected Systems
The WordPress plugin WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms distributed by CRM Perks is affected when the installed version is 1.1.4 or older. Any WordPress installation that uses these form plugins and has not updated to at least 1.1.5 is vulnerable.
Risk and Exploitability
The CVSS score of 9.8 marks the issue as critical, while the EPSS score of less than 1% shows a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The usual attack path is remote, through publicly reachable form submissions: no user authentication is required, and an attacker can trigger the injection by posting a specially crafted payload to the form endpoint, potentially achieving code execution.
OpenCVE Enrichment