[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3OC765wABIW0s2_EZn52WfpE1RzLjDt3swRLw6i8rTQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-49763","integration-for-hubspot-and-contact-form-7-wpforms-elementor-ninja-forms-unauthenticated-php-object-injection","Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms \u003C= 1.3.7 - Unauthenticated PHP Object Injection","The Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.3.7 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-hubspot",null,"\u003C=1.3.7","1.3.8","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:43:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2f2fcad0-f948-4da5-9bb1-888fc0ced718?source=api-prod",5,[22,23],"cf7-hubspot.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-49763\n\n## 1. Vulnerability Summary\nThe **Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms** plugin (versions \u003C= 1.3.7) is vulnerable to **Unauthenticated PHP Object Injection**. The vulnerability exists because the plugin's form submission handling logic retrieves a user-controlled POST parameter, base64-decodes it, and passes it directly to the `unserialize()` function without prior validation or sanitization. This allows an unauthenticated attacker to inject arbitrary PHP objects into the application scope.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: Any WordPress page containing a supported form (Contact Form 7, WPForms, etc.) or the AJAX submission endpoint for these plugins.\n- **Hook**: `wpcf7_before_send_mail` (for Contact Form 7), `ninja_forms_after_submission` (for Ninja Forms), `wpforms_process_entry_save` (for WPForms), and `elementor_pro\u002Fforms\u002Fnew_record` (for Elementor).\n- **Vulnerable Parameter**: `vxcf_p_data` (POST parameter).\n- **Authentication**: Unauthenticated (available to any guest visitor).\n- **Preconditions**: A supported form must be active and accessible on the frontend.\n\n## 3. Code Flow\n1. **Registration**: In `cf7-hubspot.php`, the `vxcf_hubspot::setup_main()`","The Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to unauthenticated PHP Object Injection via the maybe_unserialize() function. This vulnerability allows an attacker to inject arbitrary PHP objects into the application scope during form submission processing, which can lead to remote code execution if a suitable POP chain is available in the environment.","\u002F\u002F cf7-hubspot.php around line 973\n      $value=$value['value'];   \n     }\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-hubspot\u002F1.3.7\u002Fcf7-hubspot.php\t2025-03-20 10:16:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-hubspot\u002F1.3.8\u002Fcf7-hubspot.php\t2025-05-22 11:58:16.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form HubSpot\n * Description: Integrates Contact Form 7 and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with HubSpot allowing form submissions to be automatically sent to your HubSpot account \n-* Version: 1.3.7\n+* Version: 1.3.8\n * Requires at least: 3.8\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-hubspot-plugin\u002F\n@@ -25,7 +25,7 @@\n   public  $crm_name = \"hubspot\";\n   public  $id = \"vxcf_hubspot\";\n   public  $domain = \"vxcf-hubspot\";\n-  public  $version = \"1.3.7\";\n+  public  $version = \"1.3.8\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_hubspot\";\n@@ -973,7 +973,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);\n      }\n   }else if(isset($_REQUEST[$field_id])){ \n     $value=$this->post($field_id);","To exploit this vulnerability, an unauthenticated attacker identifies a page on the target WordPress site that contains a form supported by the plugin (e.g., Contact Form 7 or WPForms). During the form submission process, the attacker includes a specially crafted payload in the POST parameter 'vxcf_p_data' (or other field parameters processed by the integration). This payload consists of a serialized PHP object, often base64-encoded depending on the specific form handler's path. When the plugin processes the submission, it passes the user-controlled input to maybe_unserialize(), triggering the instantiation of the injected object. If the target system has other plugins or themes installed that contain a usable POP chain, the attacker can leverage this to achieve remote code execution, delete files, or access sensitive data.","gemini-3-flash-preview","2026-06-26 04:42:34","2026-06-26 04:44:02",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.3.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-hubspot\u002Ftags\u002F1.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-hubspot.1.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-hubspot\u002Ftags\u002F1.3.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-hubspot.1.3.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-hubspot\u002Ftags"]