CVE-2026-49106

Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.1.7
Patched in
5d
Time to patch

Description

The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.6
PublishedJune 4, 2026
Last updatedJune 8, 2026
Affected plugincf7-constant-contact

What Changed in the Fix

Changes introduced in v1.1.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-49106 ## 1. Vulnerability Summary The **Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms** plugin (versions <= 1.1.6) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs because the plugin handles certai…

Show full research plan

Exploitation Research Plan - CVE-2026-49106

1. Vulnerability Summary

The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin (versions <= 1.1.6) is vulnerable to Unauthenticated PHP Object Injection. This occurs because the plugin handles certain administrative or API-related functions via the admin_init hook without verifying the user's identity or checking for a valid security nonce. Specifically, user-controlled input provided in a request parameter is passed directly to unserialize() (or maybe_unserialize()), allowing an attacker to inject arbitrary PHP objects into the application scope.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (or any admin endpoint that triggers admin_init).
  • Hook: admin_init (via the vxcf_ccontact_pages::setup_plugin method).
  • Trigger Parameter: vxcf_ccontact_test_api (or similar, inferred from the plugin ID vxcf_ccontact).
  • Payload Parameter: info.
  • Authentication: Unauthenticated. The admin_init hook in WordPress runs even for unauthenticated users accessing admin-ajax.php.
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: A request is made to `/wp-admin/admin-ajax.php

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.