Impact
An unauthenticated PHP Object Injection vulnerability exists in the Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin up to version 1.1.1, allowing attackers to inject malicious PHP objects that can be executed on the server. The flaw is rated with a CVSS score of 9.8, indicating extreme severity and the potential for full system compromise if exploited. The vulnerability is described as a classic object injection flaw (CWE‑502) and can lead to arbitrary code execution, data exfiltration, or configuration tampering without requiring any user credentials.
Affected Systems
The affected product is the CRM Perks Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin. All installations running version 1.1.1 or earlier are vulnerable, including WordPress sites that rely on this plugin for form‑to‑CRM integration with the aforementioned form builders.
Risk and Exploitability
Because authentication is not required, any user can submit specially crafted data to trigger the injection. The EPSS score is indicated as less than 1%, suggesting a low current exploitation probability, but the high CVSS score and lack of KEV listing mean the vulnerability has a significant impact if attacked. Attackers would likely exploit it by submitting serialized PHP objects through the plugin's form handling endpoints, leading to remote code execution on the hosting server.
OpenCVE Enrichment