[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhZwN7Jp3lOtYG-6ArcZBwJKHBm89TnofQ-U3Hma2jqE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-9691","integration-for-activecampaign-and-contact-form-7-wpforms-elementor-ninja-forms-unauthenticated-php-object-injection","Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms \u003C= 1.1.1 - Unauthenticated PHP Object Injection","The Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-active-campaign",null,"\u003C=1.1.1","1.1.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-05 00:00:00","2026-06-08 14:42:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7d0e4fc9-1997-4d83-b424-93607380a352?source=api-prod",4,[22,23],"cf7-active-campaign.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-9691\n\n## 1. Vulnerability Summary\nThe **Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms** plugin (slug: `cf7-active-campaign`) is vulnerable to **Unauthenticated PHP Object Injection** in versions up to and including 1.1.1. The vulnerability exists due to the use of `maybe_unserialize()` or `unserialize()` on untrusted input provided via POST parameters during form submissions. Specifically, the plugin's field-mapping logic allows an attacker to supply a serialized PHP object through a specific parameter (likely `vxcf_activecamp_fields`), which is processed when a form is submitted on the frontend.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any public-facing page containing a form integrated with the plugin (e.g., Contact Form 7, WPForms, Elementor, or Ninja Forms).\n- **Target Hook:** `wpcf7_before_send_mail` (Contact Form 7), `wpforms_process_entry_save` (WPForms), or `elementor_pro\u002Fforms\u002Fnew_record` (Elementor).\n- **Vulnerable Parameter:** `vxcf_activecamp_fields` (inferred from the plugin ID `vxcf_activecamp`) or `vxcf_form_fields` (common in CRM Perks plugins).\n- **Authentication:** Unauthenticated (PR:N).\n- **Preconditions:** The","The Integration for ActiveCampaign and Contact Form 7 plugin is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize() on user-supplied form data. An attacker can exploit this by submitting a form with a crafted serialized PHP object in one of the fields, which can lead to remote code execution if a suitable POP chain is available on the site.","\u002F\u002F cf7-active-campaign.php around line 954\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-active-campaign\u002F1.1.1\u002Fcf7-active-campaign.php\t2025-01-19 10:29:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-active-campaign\u002F1.1.2\u002Fcf7-active-campaign.php\t2025-05-22 12:11:18.000000000 +0000\n@@ -952,7 +952,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);\n      }\n   \n   }","The exploit targets public-facing forms managed by Contact Form 7, WPForms, Elementor, or Ninja Forms when integrated with this plugin. An attacker identifies a form field that is processed by the ActiveCampaign integration logic (such as any mapped field). They submit a POST request to the form submission endpoint containing a serialized PHP object string as the value for that field. Because the plugin calls maybe_unserialize() on the value before transmission to ActiveCampaign, the object is instantiated. If the WordPress environment contains a usable POP chain (e.g., in other plugins or themes), the attacker can achieve remote code execution, file deletion, or sensitive data retrieval without authentication.","gemini-3-flash-preview","2026-06-26 04:07:18","2026-06-26 04:08:55",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-active-campaign\u002Ftags\u002F1.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-active-campaign.1.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-active-campaign\u002Ftags\u002F1.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-active-campaign.1.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-active-campaign\u002Ftags"]