Impact
The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress Integration for Contact Form 7 and Constant Contact plugin versions up to 1.1.6. This weakness allows an attacker to inject serialized PHP objects through HTTP requests, potentially enabling the execution of arbitrary PHP code if the deserialization process is invoked. The CVSS score of 9.8 reflects the high severity associated with running code on the target server, compromising confidentiality, integrity, and availability of the WordPress site.
Affected Systems
Organizations that have installed the WordPress Integration for Contact Form 7 and Constant Contact plugin version 1.1.6 or earlier, developed by CRM Perks, are impacted. No other versions are reported as vulnerable.
Risk and Exploitability
The EPSS score is below 1%, indicating a low current exploitation probability, but the lack of authentication requirement means an attacker can craft a request from anywhere. The CVSS score of 9.8 quantifies the potential for code execution, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers likely target public WordPress sites that host the vulnerable plugin.
OpenCVE Enrichment