CVE-2026-49768

Vulnerability

The Happyforms plugin for WordPress versions up to and including 1.26.13 is vulnerable to unauthenticated PHP Object Injection. This occurs because user-supplied input is deserialized without proper validation, allowing an attacker to inject arbitrary PHP objects. The vulnerability is present in the plugin's handling of serialized data, and no authentication is required to trigger it. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the vulnerable endpoint. No authentication or user interaction is required. The attacker only needs network access to the WordPress site. The deserialization of the malicious object can trigger a POP (Property Oriented Programming) chain if suitable gadgets are present in the application or its dependencies. [1]

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other severe outcomes depending on the available POP chain. The attacker can gain full control over the affected WordPress site, potentially compromising sensitive data and further spreading attacks. The vulnerability is considered critical (CVSS 9.8) and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 1.26.14 of the Happyforms plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule that blocks attacks until the update is applied. Auto-updates can be enabled for vulnerable plugins. No other workarounds are mentioned. [1]