Description
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection was discovered in the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress versions 1.1.8 and earlier. This flaw allows an attacker to embed arbitrary serialized PHP objects in user‑supplied data, leading to arbitrary code execution on the server. The vulnerability directly compromises the confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The affected product is the CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin, specifically all releases up to and including 1.1.8. Sites that have installed these versions are at risk while the plugin runs within a WordPress environment.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% reflects a very low but non-zero likelihood of exploitation in current observations. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is unauthenticated exploitation via data submitted through the plugin’s public interfaces or by sending crafted requests directly to WordPress endpoints that load the vulnerable plugin.

Generated by OpenCVE AI on June 18, 2026 at 00:26 UTC.

Remediation

Vendor Solution

Update the WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin to the latest available version (at least 1.1.9).


OpenCVE Recommended Actions

  • Update the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin to version 1.1.9 or later, as advised by the vendor.
  • Verify that no legacy 1.1.8 or earlier copies of the plugin remain installed on the site and remove them if found.
  • Disable or uninstall the plugin on any WordPress installations that do not strictly require it, and restrict PHP execution of plugin directories using web‑server configuration or security plugins.

Generated by OpenCVE AI on June 18, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
Title WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Crm Perks Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:21:58.784Z

Reserved: 2026-06-01T15:29:09.316Z

Link: CVE-2026-49765

cve-icon Vulnrichment

Updated: 2026-06-16T12:21:55.213Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:21.587

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data