CVE-2026-49763

Vulnerability

The WordPress Integration for Contact Form 7 HubSpot plugin versions 1.3.7 and earlier contain an unauthenticated PHP Object Injection vulnerability. This flaw allows an attacker to inject arbitrary serialized PHP objects through plugin inputs, potentially triggering a POP (Property Oriented Programming) chain if a suitable gadget is present in the application or its dependencies. No authentication is required to exploit this issue.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious serialized PHP objects to the vulnerable plugin endpoint. No user interaction, prior authentication, or specific network position is needed, making the attack vector fully remote and unauthenticated. The exploitation does not require any special configuration beyond the default plugin settings.

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other severe impacts depending on the available POP chain. The CVSS v3 base score of 9.8 (Critical) underscores the high risk. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites simultaneously.

Mitigation

The vulnerability is fixed in version 1.3.8 and later. Users are strongly advised to update immediately. If an immediate update is not possible, Patchstack provides a mitigation rule that blocks attacks until the plugin is updated. For WordPress sites, enabling auto-updates for plugins can help maintain security. No other workarounds are mentioned in the available references.

[1]