Description
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw found in versions of the Happyforms plugin up to 1.26.13. An attacker who can deliver a specially crafted request to the plugin can create an instance of a PHP object in memory with arbitrary properties. Depending on the object’s class and the plugin’s subsequent handling, this flaw can be leveraged to execute arbitrary PHP code, allowing full control over the affected web application. The weakness is classified as CWE‑502, which specifically covers serialization-related deserialization issues that enable injection attacks.

Affected Systems

The affected product is the WordPress plugin Happyforms, with all releases up to and including 1.26.13 being vulnerable. Sites that have installed these legacy plugin versions are at risk; newer releases have removed the vulnerable code path.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% suggests that statistically the exploitation probability is low, however the critical nature means any successful exploitation would be devastating. The CVE is not listed in the CISA KEV catalog, implying that a known, active exploit has not yet been reported, but attackers may still actively develop one. The likely attack vector is through unauthenticated HTTP requests that target the plugin’s form or data handling endpoints, arriving either from the public internet or from an internal network if the site is exposed to threat actors.

Generated by OpenCVE AI on June 18, 2026 at 00:25 UTC.

Remediation

Vendor Solution

Update the WordPress Happyforms Plugin to the latest available version (at least 1.26.14).


OpenCVE Recommended Actions

  • Upgrade the Happyforms plugin to version 1.26.14 or newer
  • If an immediate upgrade is not possible, disable the plugin until the patch is applied
  • Run a security scan and review website logs for signs of malicious object injection attempts

Generated by OpenCVE AI on June 18, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Happyforms
Happyforms happyforms
Wordpress
Wordpress wordpress
Vendors & Products Happyforms
Happyforms happyforms
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
Title WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Happyforms Happyforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:42:29.622Z

Reserved: 2026-06-01T15:29:09.316Z

Link: CVE-2026-49768

cve-icon Vulnrichment

Updated: 2026-06-16T14:39:46.847Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:21.823

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data