CVE-2026-49765

Vulnerability

An unauthenticated PHP Object Injection vulnerability exists in the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress versions 1.1.8 and earlier [1]. The flaw allows an attacker to inject arbitrary PHP objects via unsanitized user input, without requiring authentication. The vulnerability is present in the plugin's handling of serialized payloads, enabling injection if a proper POP (Property Oriented Programming) chain is present in the application [1].

Exploitation

Exploitation requires no authentication and no special network position, as the vulnerability can be triggered by any unauthenticated user sending a crafted request to the vulnerable plugin's endpoint [1]. The attacker must have knowledge of a suitable POP chain within the WordPress installation or loaded libraries to achieve meaningful outcomes. No user interaction is needed beyond delivering the malicious payload [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other impacts depending on the available POP chain [1]. The CVSS v3 base score is 9.8 (Critical), indicating the severity of potential compromise without authentication. This vulnerability is considered highly dangerous and is expected to be exploited in mass campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is patched in version 1.1.9 of the plugin [1]. Users should update to 1.1.9 or later immediately. If unable to update, users should ask their hosting provider or web developer for assistance and consider using a web application firewall or the Patchstack mitigation rule to block attacks [1]. No other workarounds are mentioned in the provided references.