CVE-2026-9691

Vulnerability

The WordPress plugin "Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms" in versions up to 1.1.1 is vulnerable to unauthenticated PHP Object Injection. The vulnerability exists due to unsafe deserialization of untrusted input, allowing an attacker to inject arbitrary PHP objects. No authentication is required to exploit this flaw. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious serialized PHP objects to the vulnerable plugin. The attack does not require any prior authentication or user interaction, making it remotely exploitable over the network. The existence of a suitable POP (Property Oriented Programming) chain in the WordPress environment enables code execution. [1]

Impact

Successful exploitation can lead to arbitrary code execution, allowing the attacker to perform actions such as code injection, SQL injection, path traversal, and denial of service. This can result in complete compromise of the affected WordPress site, including data theft, site defacement, or further spread of malware. [1]

Mitigation

The vulnerability has been patched in version 1.1.2 of the plugin. Users are strongly advised to update to this version immediately. If immediate update is not possible, apply a mitigation rule such as those provided by Patchstack to block attacks. Due to the critical severity and active exploitation expected, this is a high-priority update. [1]