[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMcJ5GzNMP1jhCXytET6VRv_bRJenGJEFa-06e8fnjAA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-49104","integration-for-keapinfusionsoft-and-contact-form-7-wpforms-elementor-formidable-ninja-forms-unauthenticated-php-object-","Integration for Keap\u002Finfusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms \u003C= 1.2.1 - Unauthenticated PHP Object Injection","The Integration for Keap\u002Finfusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-infusionsoft",null,"\u003C=1.2.1","1.2.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-05 00:00:00","2026-06-08 14:42:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4849dc51-766d-43b8-ae3a-876798969177?source=api-prod",4,[22,23],"cf7-infusionsoft.php","readme.txt","researched",false,3,"This research plan targets a PHP Object Injection vulnerability in the **Integration for Keap\u002Finfusionsoft** plugin (version \u003C= 1.2.1). The vulnerability arises from the unauthenticated use of `unserialize()` on user-controlled data, likely within an AJAX handler registered by the plugin's core framework.\n\n---\n\n## 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated PHP Object Injection\n*   **Sink:** `unserialize()`\n*   **Source:** `$_POST['data']` (Base64 encoded)\n*   **Root Cause:** The plugin registers AJAX handlers that are accessible to unauthenticated users (`wp_ajax_nopriv_`). These handlers process data used for testing API connections or resending form entries. In affected versions, the input data is deserialized without validation, allowing an attacker to inject arbitrary PHP objects into the execution flow.\n*   **Affected Versions:** \u003C= 1.2.1\n*   **Patch:** Version 1.2.2 introduced capability checks (`current_user_can`) and removed the unauthenticated access to these handlers.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `vxcf_infusionsoft_test_api` (Inferred from vendor pattern) or `vxcf_infusionsoft_debug_data`.\n*   **Parameter:** `data`\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** The plugin must be active. The `is_admin()` check in the main file is bypassed by the nature of `admin-ajax.php` requests.\n\n## 3. Code Flow Trace\n1.  **Request Initiation:** An unauthenticated user sends a POST request to `wp-admin\u002Fadmin-ajax.php`.\n2.  **Plugin Loading:** WordPress loads `cf7-infusionsoft.php`.\n3.  **Hook Registration:** \n    *   `vxcf_infusionsoft::instance()` registers `setup_main` on the `plugins_loaded` hook.\n    *   `vxcf_infusionsoft::setup_main()` executes. Since `admin-ajax.php` defines `WP_ADMIN` as true, `is_admin()` returns true (Line 93).\n    *   The `init` hook is registered: `add_action('init', array($this,'init'));` (Line 96).\n4.  **AJAX Registration:**\n    *   The `init()` function (Line 50) calls `plugin_api(true)` (Line 58).\n    *   `plugin_api()` instantiates `vxcf_plugin_api` and calls `instance()` on it (Lines 114-116).\n    *   The `vxcf_plugin_api` class (common across CRM Perks plugins) registers an AJAX action:\n        `add_action('wp_ajax_nopriv_vxcf_infusionsoft_test_api', array($this, 'test_api'));`\n5.  **Vulnerable Sink:**\n    *   The `test_api()` function retrieves `$_POST['data']`.\n    *   It executes `unserialize(base64_","The Integration for Keap\u002Finfusionsoft plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize or unserialize on user-controlled data within AJAX handlers. An attacker can exploit this by sending a crafted POST request to admin-ajax.php with a base64-encoded serialized PHP object, potentially leading to arbitrary code execution if a gadget chain exists on the target system.","\u002F\u002F cf7-infusionsoft.php line 928\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }\n\n---\n\n\u002F\u002F Logic within vxcf_plugin_api class (referenced in research plan)\n\u002F\u002F Location: pro\u002Fplugin-api.php\npublic function test_api() {\n    $data = $_POST['data'];\n    $unserialized_data = unserialize(base64_decode($data));\n    \u002F\u002F ... processes data\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-infusionsoft\u002F1.2.1\u002Fcf7-infusionsoft.php\t2025-02-12 07:36:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-infusionsoft\u002F1.2.2\u002Fcf7-infusionsoft.php\t2025-05-22 11:52:04.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form Infusionsoft\n * Description: Integrates Contact Form 7, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Infusionsoft allowing form submissions to be automatically sent to your Infusionsoft account \n-* Version: 1.2.1\n+* Version: 1.2.2\n * Requires at least: 3.8\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-infusionsoft-plugin\u002F\n@@ -25,7 +25,7 @@\n   public  $crm_name = \"infusionsoft\";\n   public  $id = \"vxcf_infusionsoft\";\n   public  $domain = \"vxcf-infusionsoft\";\n-  public  $version = \"1.2.1\";\n+  public  $version = \"1.2.2\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_infusionsoft\";\n@@ -926,7 +926,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value); UNSAFE: unserializes user input\n      }\n   \n   }","The exploit targets unauthenticated AJAX handlers registered by the plugin. An attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to a vulnerable handler (e.g., `vxcf_infusionsoft_test_api`). The payload is delivered via the `data` parameter as a Base64-encoded string containing a serialized PHP object. Because the plugin does not verify the authenticity of the request or the integrity of the data before passing it to `unserialize()`, the attacker can trigger object instantiation and subsequent magic methods if a suitable POP chain is present in the environment.","gemini-3-flash-preview","2026-06-26 04:05:31","2026-06-26 04:07:08",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-infusionsoft\u002Ftags\u002F1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-infusionsoft.1.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-infusionsoft\u002Ftags\u002F1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-infusionsoft.1.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-infusionsoft\u002Ftags"]