Impact
Unauthenticated PHP Object Injection was discovered in the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress versions 1.1.8 and earlier. This flaw allows an attacker to embed arbitrary serialized PHP objects in user‑supplied data, leading to arbitrary code execution on the server. The vulnerability directly compromises the confidentiality, integrity, and availability of the affected WordPress installation.
Affected Systems
The affected product is the CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin, specifically all releases up to and including 1.1.8. Sites that have installed these versions are at risk while the plugin runs within a WordPress environment.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% reflects a very low but non-zero likelihood of exploitation in current observations. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is unauthenticated exploitation via data submitted through the plugin’s public interfaces or by sending crafted requests directly to WordPress endpoints that load the vulnerable plugin.
OpenCVE Enrichment