[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvNSKUxMjqvOCUJ2SQA4XLMMoxaugrfy0s42ripEoRI4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2026-49106","integration-for-constant-contact-and-contact-form-7-wpforms-elementor-ninja-forms-unauthenticated-php-object-injection","Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms \u003C= 1.1.6 - Unauthenticated PHP Object Injection","The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.6 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-constant-contact",null,"\u003C=1.1.6","1.1.7","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:46:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1f36f0d8-4510-4d94-b8e5-5a3d98b0a8b4?source=api-prod",5,[22,23,24,25],"api\u002Fapi.php","cf7-constant-contact.php","includes\u002Fplugin-pages.php","readme.txt","researched",false,3,"\n# Exploitation Research Plan - CVE-2026-49106\n\n## 1. Vulnerability Summary\nThe **Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms** plugin (versions \u003C= 1.1.6) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs because the plugin handles certain administrative or API-related functions via the `admin_init` hook without verifying the user's identity or checking for a valid security nonce. Specifically, user-controlled input provided in a request parameter is passed directly to `unserialize()` (or `maybe_unserialize()`), allowing an attacker to inject arbitrary PHP objects into the application scope.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or any admin endpoint that triggers `admin_init`).\n- **Hook:** `admin_init` (via the `vxcf_ccontact_pages::setup_plugin` method).\n- **Trigger Parameter:** `vxcf_ccontact_test_api` (or similar, inferred from the plugin ID `vxcf_ccontact`).\n- **Payload Parameter:** `info`.\n- **Authentication:** Unauthenticated. The `admin_init` hook in WordPress runs even for unauthenticated users accessing `admin-ajax.php`.\n- **Preconditions:** The plugin must be active.\n\n## 3. Code Flow\n1. **Entry Point:** A request is made to `\u002Fwp-admin\u002Fadmin-ajax.php","gemini-3-flash-preview","2026-06-26 04:38:05","2026-06-26 04:39:47",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-constant-contact\u002Ftags\u002F1.1.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-constant-contact.1.1.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-constant-contact\u002Ftags\u002F1.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-constant-contact.1.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-constant-contact\u002Ftags"]