Description
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress Integration for Contact Form 7 HubSpot plugin versions up to 1.3.7. While the official description does not explicitly state the outcome of an injection, the nature of PHP Object Injection typically allows an attacker to execute arbitrary code, and that inference is supported by the high CVSS score of 9.8. This level of impact indicates a severe threat to confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The affected product is the WordPress Integration for Contact Form 7 HubSpot plugin developed by CRM Perks. All releases through version 1.3.7 are impacted, meaning any WordPress installation that includes this plugin—regardless of user role—could be compromised if the plugin is present.

Risk and Exploitability

The CVSS score of 9.8 and an EPSS score of less than 1% suggest a powerful vulnerability that remains low in current exploitation probability but still poses a severe risk. It is not listed in CISA KEV. Because authentication is not required, the most likely attack vector is through crafted input directed to the plugin’s interface, potentially via the contact form endpoint. An attacker who can send requests to the vulnerable plugin can exploit the flaw to run code on the host.

Generated by OpenCVE AI on June 18, 2026 at 03:17 UTC.

Remediation

Vendor Solution

Update the WordPress Integration for Contact Form 7 HubSpot plugin to the latest available version (at least 1.3.8).


OpenCVE Recommended Actions

  • Upgrade the WordPress Integration for Contact Form 7 HubSpot plugin to version 1.3.8 or newer.
  • If the plugin is not required for business operations, uninstall or disable it entirely from the WordPress installation.
  • If an immediate upgrade is not feasible, consider isolating the exposed WordPress instance by restricting external access or applying firewall rules to block requests to the plugin’s endpoint until a patch can be applied.

Generated by OpenCVE AI on June 18, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks integration For Contact Form 7 Hubspot
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks integration For Contact Form 7 Hubspot
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
Title WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Crm Perks Integration For Contact Form 7 Hubspot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T20:19:22.379Z

Reserved: 2026-06-01T15:29:09.316Z

Link: CVE-2026-49763

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:21.357

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49763

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:30:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data