CVE-2026-49106

Vulnerability

Unauthenticated PHP Object Injection vulnerability in the WordPress plugin "Integration for Contact Form 7 and Constant Contact" versions <= 1.1.6. The plugin fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary serialized PHP objects without authentication [1].

Exploitation

An attacker can exploit this by sending a crafted HTTP request containing a malicious serialized PHP object to any exposed endpoint of the plugin. No authentication is required. Successful exploitation depends on the availability of a suitable POP (Property Oriented Programming) chain within the plugin or WordPress core to trigger code execution [1].

Impact

If a viable POP chain exists, an attacker can achieve arbitrary code execution, SQL injection, path traversal, or denial of service. This can lead to full site compromise. The vulnerability is rated critical (CVSS 9.8) and is expected to be widely exploited in mass campaigns [1].

Mitigation

Update to version 1.1.7, which contains the fix. If unable to update immediately, apply a virtual patch or mitigation rule from a security plugin like Patchstack. The plugin's vendor has released the patched version, and users are strongly advised to apply it as soon as possible [1].