CVE-2026-49104

Vulnerability

The WordPress plugin "Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms" (slug cf7-infusionsoft) versions 1.2.1 and earlier are vulnerable to unauthenticated PHP Object Injection. The flaw resides in the deserialization of user-supplied input without proper sanitization, allowing an attacker to inject arbitrary PHP objects. No authentication is required to exploit this vulnerability [1].

Exploitation

An unauthenticated attacker can send a specially crafted HTTP request containing a serialized PHP object to the vulnerable plugin. The request does not require any prior authentication or user interaction. The injection occurs when the plugin unserializes the malicious payload, enabling the attacker to control the object's properties and trigger a POP (Property Oriented Programming) chain if available [1].

Impact

Successful exploitation can lead to a wide range of severe outcomes, including remote code execution, SQL injection, path traversal, and denial of service, depending on the available POP chain. The vulnerability is rated critical (CVSS 9.8) and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vulnerability is fixed in version 1.2.2 of the plugin. Users are strongly advised to update immediately. Patchstack has also issued a mitigation rule to block attacks until the update is applied. No other workarounds have been disclosed [1].