CVE-2026-49109

Vulnerability

The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress versions 1.4.3 and earlier suffers from an unauthenticated PHP object injection vulnerability. The bug resides in how the plugin deserializes user-supplied input without proper sanitization. No special configuration or conditions are required for the vulnerable code path to be reachable; it affects all installations running the affected versions [1].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication. By sending a crafted HTTP request containing a malicious serialized PHP object to the vulnerable endpoint, the attacker triggers PHP object injection. No user interaction or elevated privileges are needed. The exploit can be carried out over the network with low complexity [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution if a suitable POP chain is available in the WordPress environment. This can lead to complete compromise of the affected site, including data theft, site defacement, malware distribution, and further attacks on server infrastructure. The vulnerability is rated critical with a CVSS score of 9.8 [1].

Mitigation

The vendor has released version 1.4.4 which fixes the vulnerability. Users must update to version 1.4.4 or later immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied. The vulnerability is expected to be widely exploited in mass campaigns [1].