CVE-2026-49105

Vulnerability

The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions 1.1.4 and earlier. The flaw exists in the plugin's handling of serialized input without proper sanitization or validation, allowing an attacker to inject arbitrary PHP objects if a suitable gadget chain is available in the application or its extensions [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring any authentication. The attacker sends a crafted HTTP request containing malicious serialized data to the vulnerable plugin endpoint. No user interaction is required, and the attacker does not need any prior access or privileges on the WordPress site [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other severe outcomes, depending on the presence and availability of a proper Property-Oriented Programming (POP) chain in the WordPress environment [1]. This could result in complete compromise of the affected site.

Mitigation

The vulnerability has been fixed in version 1.1.5 of the plugin. Users are strongly advised to update to version 1.1.5 or later immediately. Patchstack has released a mitigation rule to block attacks for users who cannot update immediately [1]. This vulnerability is expected to be widely exploited and is listed as critical.