CVE-2026-49085

Vulnerability

The WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin (versions ≤ 1.1.4) contains an unauthenticated PHP Object Injection vulnerability. The bug resides in the plugin's handling of serialized PHP objects, where user-supplied input is deserialized without proper sanitization. This code path is reachable by any unauthenticated visitor to a WordPress site running the affected plugin, requiring no special configuration beyond default settings [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the vulnerable endpoint. No authentication, user interaction, or special network position is required (the attacker only needs network access to the web server). The exploitation can be performed at scale via automated scripts, targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows arbitrary PHP object injection, which, when combined with a suitable POP (Property Oriented Programming) gadget chain, can lead to remote code execution (RCE), SQL injection, path traversal, denial of service, and other severe outcomes. The attacker gains full control over the affected WordPress site, potentially compromising all data and functionality [1].

Mitigation

Update to version 1.1.5 or later, which contains a fix for this vulnerability. The advisory states that Patchstack has issued a mitigation rule to block attacks until the update is applied. No workaround other than updating is mentioned; the plugin is not listed as EOL or in the CISA KEV catalog [1].