Description
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress Integration for Contact Form 7 and Constant Contact plugin versions up to 1.1.6. This weakness allows an attacker to inject serialized PHP objects through HTTP requests, potentially enabling the execution of arbitrary PHP code if the deserialization process is invoked. The CVSS score of 9.8 reflects the high severity associated with running code on the target server, compromising confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Organizations that have installed the WordPress Integration for Contact Form 7 and Constant Contact plugin version 1.1.6 or earlier, developed by CRM Perks, are impacted. No other versions are reported as vulnerable.

Risk and Exploitability

The EPSS score is below 1%, indicating a low current exploitation probability, but the lack of authentication requirement means an attacker can craft a request from anywhere. The CVSS score of 9.8 quantifies the potential for code execution, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers likely target public WordPress sites that host the vulnerable plugin.

Generated by OpenCVE AI on June 18, 2026 at 03:18 UTC.

Remediation

Vendor Solution

Update the WordPress Integration for Contact Form 7 and Constant Contact plugin to the latest available version (at least 1.1.7).


OpenCVE Recommended Actions

  • Apply the latest available version of the WordPress Integration for Contact Form 7 and Constant Contact plugin (at least 1.1.7) to remove the PHP Object Injection flaw.
  • If the update cannot be performed immediately, disable the plugin to eliminate the attack surface until a patched version is available.
  • Deploy a Web Application Firewall rule to detect and block requests containing suspicious serialized PHP objects, mitigating attempts while remediation steps are in progress.

Generated by OpenCVE AI on June 18, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks integration For Contact Form 7 And Constant Contact
Wordpress
Wordpress wordpress
Vendors & Products Crmperks
Crmperks integration For Contact Form 7 And Constant Contact
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
Title WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Crmperks Integration For Contact Form 7 And Constant Contact
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:22:20.094Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49106

cve-icon Vulnrichment

Updated: 2026-06-16T12:22:16.652Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:20.630

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:30:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data