[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_4fYs8zmgFv24L01fXcpo0ByB8sc8LkcM5-L6bkd1K8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-49768","happyforms-form-builder-for-wordpress-drag-drop-contact-forms-surveys-payments-multipurpose-forms-unauthenticated-php-ob","Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms \u003C= 1.26.13 - Unauthenticated PHP Object Injection","The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.26.13 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","happyforms",null,"\u003C=1.26.13","1.26.14","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:29:29",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2bcb155d-a544-4315-921b-62a0bd6b1ca9?source=api-prod",5,[22,23,24,25,26,27,28],"core\u002Fclasses\u002Fclass-admin-notices.php","core\u002Fclasses\u002Fclass-form-controller.php","core\u002Fclasses\u002Fclass-form-option-limiter.php","core\u002Fhelpers\u002Fhelper-misc.php","happyforms.php","languages\u002Fhappyforms.pot","readme.txt","researched",false,3,"This research plan outlines the steps required to analyze and demonstrate the Unauthenticated PHP Object Injection vulnerability in the Happyforms plugin (CVE-2026-49768).\n\n### 1. Vulnerability Summary\nThe **Happyforms** plugin is vulnerable to **PHP Object Injection** due to the use of `maybe_unserialize()` on untrusted user input. Specifically, the function `happyforms_get_message_part_value()` in `core\u002Fhelpers\u002Fhelper-misc.php` attempts to unserialize field values submitted by users. If a form is configured to display submitted values in a confirmation message or email, an unauthenticated attacker can provide a serialized PHP object in a form field, which will be executed during the submission processing phase.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `happyforms_submit` (typically registered as `wp_ajax_nopriv_happyforms_submit`)\n- **Vulnerable Parameter:** Any form field parameter (e.g., `happyforms_field_123`)\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** A Happyforms form must be published on a page, and its \"Success Message\" or confirmation settings must be configured to process or display the submitted values (triggering the sink).\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a `POST` request to `admin-ajax.php` with `action=happyforms_submit`.\n2.  **Processing:** The submission controller (likely `HappyForms_Submission_Controller`) handles the request.\n3.  **Sink Path:** To generate a response or send notification emails, the plugin processes the submitted field values.\n4.  **Vulnerable Function:** It calls `happyforms_get_message_part_value( $value, ... )` in `core\u002Fhelpers\u002Fhelper-misc.php`.\n5.  **Execution:** Inside `happyforms_get_message_part_value()`:\n    ```php\n    if ( is_string( $value ) ) {\n        $value = maybe_unserialize( $value ); \u002F\u002F \u003C--- VULNERABILITY\n    }\n    ```\n    If `$value` starts with `O:`, `a:`, `s:`, etc., `maybe_unserialize` will attempt to reconstruct the PHP object, triggering `__wakeup()` or `__destruct()` methods if a POP chain is available.\n\n### 4. Nonce Acquisition Strategy\nHappyforms protects its submission endpoint with a WordPress nonce.\n- **Nonce Action:** `happyforms_submit` (or similar, verify in source).\n- **Localization:** The nonce is localized in the `happyforms_settings` JavaScript object.\n- **Extraction Steps:**\n    1.  Find a page containing a Happyforms form.\n    2.  Navigate to the page using `browser_navigate`.\n    3.  Extract the nonce and the form ID using `browser_eval`:\n        ```javascript\n        \u002F\u002F Example extraction\n        const settings = window.happyforms_settings;\n        return {\n            nonce: settings.ajax_nonce,\n            form_id: document.querySelector('input[name=\"happyforms_form_id\"]')?.value\n        };\n        ```\n\n### 5. Exploitation Strategy\n1.  **Reconnaissance:** Visit the target site and find a page with a form. Note the `form_id` and field names (e.g., `happyforms_6`, `happyforms_7`).\n2.  **Payload Generation:** Create a serialized PHP object payload. Since no internal POP chain is identified, use a generic object to test for deserialization (e.g., `O:8:\"stdClass\":0:{}`).\n3.  **Submission:** Use the `http_request` tool to send the payload.\n    - **Method:** `POST`\n    - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    - **Body:**\n        ```text\n        action=happyforms_submit&\n        happyforms_form_id=\u003CFORM_ID>&\n        _wpnonce=\u003CNONCE>&\n        \u003CFIELD_NAME>=O:8:\"stdClass\":0:{}&\n        ... (other required fields)\n        ```\n4.  **Trigger:** Ensure","The Happyforms plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the insecure use of the `maybe_unserialize` function on user-controlled form field values. Attackers can exploit this by submitting a form with a serialized PHP object payload, which triggers deserialization and can lead to remote code execution if a suitable POP chain is present on the system.","\u002F* core\u002Fhelpers\u002Fhelper-misc.php line 145 *\u002F\nfunction happyforms_get_message_part_value( $value, $part = array(), $destination = '' ) {\n\t$original_value = $value;\n\n\tif ( is_string( $value ) {\n\t\t$value = maybe_unserialize( $value );\n\t}\n\n---\n\n\u002F* core\u002Fclasses\u002Fclass-form-controller.php line 649 *\u002F\n$form_meta = array_map( 'maybe_unserialize', $form_meta );\n\n---\n\n\u002F* core\u002Fclasses\u002Fclass-form-option-limiter.php line 260 *\u002F\n$messages = array_map( function( $message ) {\n\treturn maybe_unserialize( $message['meta_value'] );\n}, $messages );","diff -ru \u002Fcore\u002Fclasses\u002Fclass-form-controller.php \u002Fcore\u002Fclasses\u002Fclass-form-controller.php\n--- \u002Fcore\u002Fclasses\u002Fclass-form-controller.php\t2023-03-23 10:25:44.000000000 +0000\n+++ \u002Fcore\u002Fclasses\u002Fclass-form-controller.php\t2026-05-27 22:04:52.000000000 +0000\n@@ -646,7 +646,7 @@\n \t\t\t\treturn $value[0];\n \t\t\t}, $form_meta );\n \n-\t\t\t$form_meta = array_map( 'maybe_unserialize', $form_meta );\n+\t\t\t$form_meta = array_map( 'happyforms_maybe_unserialize', $form_meta );\n \n \t\t\tforeach ( $form_meta as $key => $value ) {\n \t\t\t\tadd_post_meta( $duplicate_id, $key, $value );\ndiff -ru \u002Fcore\u002Fhelpers\u002Fhelper-misc.php \u002Fcore\u002Fhelpers\u002Fhelper-misc.php\n--- \u002Fcore\u002Fhelpers\u002Fhelper-misc.php\t2023-06-27 14:29:48.000000000 +0000\n+++ \u002Fcore\u002Fhelpers\u002Fhelper-misc.php\t2026-05-27 22:04:52.000000000 +0000\n@@ -72,6 +72,65 @@\n \n endif;\n \n+if ( ! function_exists( 'happyforms_maybe_unserialize' ) ):\n+\u002F**\n+ * Safely unserialize a stored value.\n+ *\u002F\n+function happyforms_maybe_unserialize( $value ) {\n+\tif ( ! is_string( $value ) || ! is_serialized( $value ) ) {\n+\t\treturn $value;\n+\t}\n+\n+\t$unserialized = @unserialize( trim( $value ), array( 'allowed_classes' => false ) );\n+\n+\tif ( false === $unserialized || happyforms_value_contains_object( $unserialized ) ) {\n+\t\treturn $value;\n+\t}\n+\n+\treturn $unserialized;\n+}\n+\n+endif;\n+\n if ( ! function_exists( 'happyforms_get_message_part_value' ) ):\n \u002F**\n  * Get the part submission value in a readable format.\n@@ -88,7 +147,7 @@\n \t$original_value = $value;\n \n \tif ( is_string( $value ) ) {\n-\t\t$value = maybe_unserialize( $value );\n+\t\t$value = happyforms_maybe_unserialize( $value );\n \t}","1. **Identify Form**: Locate a page on the target site containing a Happyforms form and note the `form_id` and field names (e.g., `happyforms_field_1`).\n2. **Obtain Nonce**: Extract the AJAX nonce from the `happyforms_settings` JavaScript object on the page (`window.happyforms_settings.ajax_nonce`).\n3. **Craft Payload**: Generate a PHP serialized object payload targeting a POP chain available in the environment (e.g., from another plugin or theme).\n4. **Trigger Injection**: Send an unauthenticated AJAX request to `wp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `happyforms_submit`, including the correct `_wpnonce`, `happyforms_form_id`, and the serialized payload in one of the form field parameters.\n5. **Execution**: The plugin processes the submission and calls `happyforms_get_message_part_value`, which executes `maybe_unserialize` on the malicious payload, triggering the POP chain.","gemini-3-flash-preview","2026-06-26 04:40:37","2026-06-26 04:42:22",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.26.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappyforms\u002Ftags\u002F1.26.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappyforms.1.26.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappyforms\u002Ftags\u002F1.26.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappyforms.1.26.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappyforms\u002Ftags"]