Impact
The vulnerability is an unauthenticated PHP Object Injection flaw found in versions of the Happyforms plugin up to 1.26.13. An attacker who can deliver a specially crafted request to the plugin can create an instance of a PHP object in memory with arbitrary properties. Depending on the object’s class and the plugin’s subsequent handling, this flaw can be leveraged to execute arbitrary PHP code, allowing full control over the affected web application. The weakness is classified as CWE‑502, which specifically covers serialization-related deserialization issues that enable injection attacks.
Affected Systems
The affected product is the WordPress plugin Happyforms, with all releases up to and including 1.26.13 being vulnerable. Sites that have installed these legacy plugin versions are at risk; newer releases have removed the vulnerable code path.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, and the EPSS score of less than 1% suggests that statistically the exploitation probability is low, however the critical nature means any successful exploitation would be devastating. The CVE is not listed in the CISA KEV catalog, implying that a known, active exploit has not yet been reported, but attackers may still actively develop one. The likely attack vector is through unauthenticated HTTP requests that target the plugin’s form or data handling endpoints, arriving either from the public internet or from an internal network if the site is exposed to threat actors.
OpenCVE Enrichment