Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 - Unauthenticated PHP Object Injection
Description
The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.1.6What Changed in the Fix
Changes introduced in v1.1.7
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-49106 ## 1. Vulnerability Summary The **Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms** plugin (versions <= 1.1.6) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs because the plugin handles certai…
Show full research plan
Exploitation Research Plan - CVE-2026-49106
1. Vulnerability Summary
The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin (versions <= 1.1.6) is vulnerable to Unauthenticated PHP Object Injection. This occurs because the plugin handles certain administrative or API-related functions via the admin_init hook without verifying the user's identity or checking for a valid security nonce. Specifically, user-controlled input provided in a request parameter is passed directly to unserialize() (or maybe_unserialize()), allowing an attacker to inject arbitrary PHP objects into the application scope.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(or any admin endpoint that triggersadmin_init). - Hook:
admin_init(via thevxcf_ccontact_pages::setup_pluginmethod). - Trigger Parameter:
vxcf_ccontact_test_api(or similar, inferred from the plugin IDvxcf_ccontact). - Payload Parameter:
info. - Authentication: Unauthenticated. The
admin_inithook in WordPress runs even for unauthenticated users accessingadmin-ajax.php. - Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: A request is made to `/wp-admin/admin-ajax.php
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.