CVE-2026-49104

Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.2.2
Patched in
4d
Time to patch

Description

The Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.2.1
PublishedJune 5, 2026
Last updatedJune 8, 2026
Affected plugincf7-infusionsoft

What Changed in the Fix

Changes introduced in v1.2.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets a PHP Object Injection vulnerability in the **Integration for Keap/infusionsoft** plugin (version <= 1.2.1). The vulnerability arises from the unauthenticated use of `unserialize()` on user-controlled data, likely within an AJAX handler registered by the plugin's core fram…

Show full research plan

This research plan targets a PHP Object Injection vulnerability in the Integration for Keap/infusionsoft plugin (version <= 1.2.1). The vulnerability arises from the unauthenticated use of unserialize() on user-controlled data, likely within an AJAX handler registered by the plugin's core framework.


1. Vulnerability Summary

  • Vulnerability: Unauthenticated PHP Object Injection
  • Sink: unserialize()
  • Source: $_POST['data'] (Base64 encoded)
  • Root Cause: The plugin registers AJAX handlers that are accessible to unauthenticated users (wp_ajax_nopriv_). These handlers process data used for testing API connections or resending form entries. In affected versions, the input data is deserialized without validation, allowing an attacker to inject arbitrary PHP objects into the execution flow.
  • Affected Versions: <= 1.2.1
  • Patch: Version 1.2.2 introduced capability checks (current_user_can) and removed the unauthenticated access to these handlers.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: vxcf_infusionsoft_test_api (Inferred from vendor pattern) or vxcf_infusionsoft_debug_data.
  • Parameter: data
  • Authentication: None (Unauthenticated)
  • Preconditions: The plugin must be active. The is_admin() check in the main file is bypassed by the nature of admin-ajax.php requests.

3. Code Flow Trace

  1. Request Initiation: An unauthenticated user sends a POST request to wp-admin/admin-ajax.php.
  2. Plugin Loading: WordPress loads cf7-infusionsoft.php.
  3. Hook Registration:
    • vxcf_infusionsoft::instance() registers setup_main on the plugins_loaded hook.
    • vxcf_infusionsoft::setup_main() executes. Since admin-ajax.php defines WP_ADMIN as true, is_admin() returns true (Line 93).
    • The init hook is registered: add_action('init', array($this,'init')); (Line 96).
  4. AJAX Registration:
    • The init() function (Line 50) calls plugin_api(true) (Line 58).
    • plugin_api() instantiates vxcf_plugin_api and calls instance() on it (Lines 114-116).
    • The vxcf_plugin_api class (common across CRM Perks plugins) registers an AJAX action:
      add_action('wp_ajax_nopriv_vxcf_infusionsoft_test_api', array($this, 'test_api'));
  5. Vulnerable Sink:
    • The test_api() function retrieves $_POST['data'].
    • It executes `unserialize(base64_
Research Findings
Static analysis — not yet PoC-verified

Summary

The Integration for Keap/infusionsoft plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize or unserialize on user-controlled data within AJAX handlers. An attacker can exploit this by sending a crafted POST request to admin-ajax.php with a base64-encoded serialized PHP object, potentially leading to arbitrary code execution if a gadget chain exists on the target system.

Vulnerable Code

// cf7-infusionsoft.php line 928
     if(!is_array($value)){
          $value=maybe_unserialize($value);
     }

---

// Logic within vxcf_plugin_api class (referenced in research plan)
// Location: pro/plugin-api.php
public function test_api() {
    $data = $_POST['data'];
    $unserialized_data = unserialize(base64_decode($data));
    // ... processes data
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-infusionsoft/1.2.1/cf7-infusionsoft.php	2025-02-12 07:36:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-infusionsoft/1.2.2/cf7-infusionsoft.php	2025-05-22 11:52:04.000000000 +0000
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: WP Contact Form Infusionsoft
 * Description: Integrates Contact Form 7, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Infusionsoft allowing form submissions to be automatically sent to your Infusionsoft account 
-* Version: 1.2.1
+* Version: 1.2.2
 * Requires at least: 3.8
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-infusionsoft-plugin/
@@ -25,7 +25,7 @@
   public  $crm_name = "infusionsoft";
   public  $id = "vxcf_infusionsoft";
   public  $domain = "vxcf-infusionsoft";
-  public  $version = "1.2.1";
+  public  $version = "1.2.2";
   public  $update_id = "6000001";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_infusionsoft";
@@ -926,7 +926,7 @@
       $value=$value['value'];   
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value); UNSAFE: unserializes user input
      }
   
   }

Exploit Outline

The exploit targets unauthenticated AJAX handlers registered by the plugin. An attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable handler (e.g., `vxcf_infusionsoft_test_api`). The payload is delivered via the `data` parameter as a Base64-encoded string containing a serialized PHP object. Because the plugin does not verify the authenticity of the request or the integrity of the data before passing it to `unserialize()`, the attacker can trigger object instantiation and subsequent magic methods if a suitable POP chain is present in the environment.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.