Impact
The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress Integration for Contact Form 7 HubSpot plugin versions up to 1.3.7. While the official description does not explicitly state the outcome of an injection, the nature of PHP Object Injection typically allows an attacker to execute arbitrary code, and that inference is supported by the high CVSS score of 9.8. This level of impact indicates a severe threat to confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
The affected product is the WordPress Integration for Contact Form 7 HubSpot plugin developed by CRM Perks. All releases through version 1.3.7 are impacted, meaning any WordPress installation that includes this plugin—regardless of user role—could be compromised if the plugin is present.
Risk and Exploitability
The CVSS score of 9.8 and an EPSS score of less than 1% suggest a powerful vulnerability that remains low in current exploitation probability but still poses a severe risk. It is not listed in CISA KEV. Because authentication is not required, the most likely attack vector is through crafted input directed to the plugin’s interface, potentially via the contact form endpoint. An attacker who can send requests to the vulnerable plugin can exploit the flaw to run code on the host.
OpenCVE Enrichment