CVE-2026-49765

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.1.9
Patched in
5d
Time to patch

Description

The Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.8 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.8
PublishedJune 4, 2026
Last updatedJune 8, 2026
Affected plugincf7-mailchimp

What Changed in the Fix

Changes introduced in v1.1.9

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the technical steps required to exploit the **unauthenticated PHP Object Injection** vulnerability (CVE-2026-49765) in the **Integration for Mailchimp and Contact Form 7** plugin. ### 1. Vulnerability Summary * **Vulnerability:** PHP Object Injection * **Root Cause:*…

Show full research plan

This research plan outlines the technical steps required to exploit the unauthenticated PHP Object Injection vulnerability (CVE-2026-49765) in the Integration for Mailchimp and Contact Form 7 plugin.

1. Vulnerability Summary

  • Vulnerability: PHP Object Injection
  • Root Cause: The plugin registers unauthenticated AJAX handlers that process user-supplied data through maybe_unserialize() or unserialize() without sufficient validation or integrity checks (like HMAC).
  • Sink: maybe_unserialize(stripslashes($_POST['info'])) or similar.
  • Affected File: Likely includes/crmperks-cf.php or cf7-mailchimp.php (AJAX handler definitions).
  • Severity: High (8.1) — While no POP chain is inherent to the plugin, it can leverage chains in WordPress core or other active plugins/themes.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: vxcf_mailchimp_test_connection (Inferred based on vendor patterns) or vxcf_mailchimp_get_crm_fields.
  • Authentication: None (registered via wp_ajax_nopriv_).
  • Parameter: info (contains the serialized object).
  • Nonce: Required (vxcf_mailchimp_ajax_nonce).

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action parameter set to vxcf_mailchimp_test_connection.
  2. Hook Trigger: WordPress triggers the function hooked to wp_ajax_nopriv_vxcf_mailchimp_test_connection.
  3. Nonce Validation: The handler calls check_ajax_referer('vxcf_mailchimp_ajax_nonce', 'nonce').
  4. Vulnerable Sink: The handler retrieves $_POST['info'], strips slashes, and passes it to maybe_unserialize().
  5. Execution: If a POP chain is available, the __wakeup() or __destruct() magic methods are triggered upon deserialization.

4. Nonce Acquisition Strategy

The plugin localizes the nonce for its AJAX operations. Because this plugin supports form integrations, the script and its associated nonce are often enqueued on the frontend where forms (like Contact Form 7) are present.

  1. Identify Nonce Source: The nonce is localized in a global JavaScript object, typically vxcf_mailchimp_vars.
  2. Trigger Script Loading: Create a page with a Contact Form 7 shortcode to ensure the plugin's frontend assets are loaded.
    • wp post create --post_type=page --post_status=publish --post_title="Contact" --post_content='[contact-form-7 id="123"]'
  3. Extraction:
    • Navigate to the page.
    • Run in console: browser_eval("window.vxcf_mailchimp_vars?.ajax_nonce").
  4. Alternate Nonce Name: If the above fails, check for vxcf_mailchimp_ajax_nonce or look for wp_localize_script calls in the plugin source using:
    • grep -r "wp_localize_script" /var/www/html/wp-content/plugins/cf7-mailchimp/

5. Exploitation Strategy

Step 1: Discover the exact AJAX Action

Search the plugin code for wp_ajax_nopriv to confirm the target action name:

grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/cf7-mailchimp/

Step 2: Craft the Payload

Since no internal POP chain is confirmed, use a generic payload to confirm injection (e.g., triggering a class that exists in the environment).

Example Payload (Logical Confirmation):
If vxcf_mailchimp_api was used as a target for testing (assuming it's loaded):
O:20:"vxcf_mailchimp_api":1:{s:4:"info";a:1:{s:4:"data";a:1:{s:7:"api_key";s:5:"a-b-c";}}}

To confirm exploitation in a standard WordPress environment, look for common core chains like Requests_Utility_FilteredIterator or GuzzleHttp\Cookie\FileCookieJar (if Guzzle is present).

Step 3: Execute the Request

Use the http_request tool to send the serialized object.

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=vxcf_mailchimp_test_connection&nonce=[EXTRACTED_NONCE]&info=[URL_ENCODED_SERIALIZED_OBJECT]
    

6. Test Data Setup

  1. Install Plugin: Ensure cf7-mailchimp version 1.1.8 is active.
  2. Enable Dependencies: Install and activate Contact Form 7.
  3. Create Form Page:
    • wp post create --post_type=page --post_status=publish --post_content='[contact-form-7 id="any"]' (This ensures the AJAX nonce is generated and localized).

7. Expected Results

  • Successful Injection: The server processes the request. If using a payload that triggers an error or a specific file operation (via a POP chain), that effect should be observable.
  • Confirmation: A successful deserialization often results in a PHP error if the injected object's properties don't match the expected types in the subsequent code (e.g., "Expected array, object given"), confirming the object was instantiated.

8. Verification Steps

  1. Log Analysis: Check wp-content/debug.log (if WP_DEBUG is on) for errors related to the injected class.
  2. System State: If using a file-deletion POP chain (like GuzzleHttp\Cookie\FileCookieJar), verify if the target file was deleted.
  3. Reflection: Use a payload that modifies a global or accessible property if a suitable chain exists.

9. Alternative Approaches

  • Different Sinks: Check if vxcf_mailchimp_get_crm_fields or other AJAX actions use the same info parameter and maybe_unserialize sink.
  • Blind Injection: Use O:8:"stdClass":0:{} to test if the basic request structure (action + nonce) is accepted by the server without error.
  • Vulnerable Constants: Check if the plugin defines any constants or loads configuration from files that can be manipulated via the injected object's __destruct method.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Integration for Mailchimp and Contact Form 7 plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to 1.1.8. This occurs because the plugin processes user-supplied data through the `maybe_unserialize()` function without adequate validation, allowing an attacker to inject and instantiate arbitrary PHP objects.

Vulnerable Code

// File: cf7-mailchimp.php (Line 966-970 in version 1.1.8)
     if(!is_array($value)){
          $value=maybe_unserialize($value);
     }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/api/api.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/api/api.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/api/api.php	2024-04-22 11:11:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/api/api.php	2025-05-22 12:16:30.000000000 +0000
@@ -298,8 +298,7 @@
     $type=$crm_fields[$k]['type']; 
 $val=$v['value'];
 
-if($type == 'birthday'){ $temp_val=strtotime($val); if(!empty($temp_val)){ $val=date('m/d',$temp_val); } }
-else if($type == 'gdpr'){
+ if($type == 'gdpr'){
  $post['marketing_permissions'][]=array('marketing_permission_id'=>$k,'enabled'=>!empty($v) ? true : false);   
 }elseif($type == 'address'){
 if(strpos($k,'-') !== false){
@@ -325,7 +324,8 @@
  } }
 }
 }else{
-$merge_fields[$k]=$val;      
+if($type == 'birthday'){ $temp_val=strtotime($val); if(!empty($temp_val)){ $val=date('m/d',$temp_val); } }
+    $merge_fields[$k]=$val;      
 }   }
 }
 if(!empty($merge_fields)){
@@ -345,7 +345,7 @@
 }
 
 } } 
-///var_dump($post,$meta['groups']); die();
+//var_dump($post,$meta['groups']); die();
 $link=""; $error="";
 if(!empty($method) && !empty($object_url) ){
 $arr= $this->post_crm($object_url, $method,$post);
@@ -461,16 +461,12 @@
 return $error;    
 }
 
-public function post_crm($path,$method,$body=''){
-       
+public function post_crm($path,$method,$body=''){   
       $url=$this->url.$path;   
     if(is_array($body)&& count($body)>0)
    { 
-       $body=json_encode($body);
+       $body=json_encode($body); 
    }
-       
-
-
      $head=array('Authorization'=> ' apikey ' .$this->api_key); 
        if($method == 'post'){
        $head['Content-Type']='application/json';   
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/cf7-mailchimp.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/cf7-mailchimp.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/cf7-mailchimp.php	2025-01-19 10:39:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/cf7-mailchimp.php	2025-05-22 12:16:30.000000000 +0000
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: WP Contact Form Mailchimp
 * Description: Integrates Contact Form 7, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Mailchimp allowing form submissions to be automatically sent to your Mailchimp account 
-* Version: 1.1.8
+* Version: 1.1.9
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-mailchimp-plugin/
 * Author: CRM Perks.
@@ -24,7 +24,7 @@
   public  $crm_name = "mailchimp";
   public  $id = "vxcf_mailchimp";
   public  $domain = "vxcf-mailchimp";
-  public  $version = "1.1.8";
+  public  $version = "1.1.9";
   public  $update_id = "6000001";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_mailchimp";
@@ -966,7 +966,7 @@
       $value=$value['value'];   
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value);
      }
   
   }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/readme.txt /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/readme.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.8/readme.txt	2025-04-24 06:08:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.1.9/readme.txt	2025-05-22 12:16:30.000000000 +0000
@@ -3,8 +3,8 @@
 Tags: contact form 7, contact form 7 mailchimp, elementor form mailchimp, mailchimp, ninja forms mailchimp
 Requires at least: 3.8
 Tested up to: 6.8
-Stable tag: 1.1.8
-Version: 1.1.8
+Stable tag: 1.1.9
+Version: 1.1.9
 Requires PHP: 5.3
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -193,6 +193,10 @@
 
 == Changelog ==
 
+= 1.1.9 =
+* fixed "birthday field" issue.
+* fixed "PHP Object Injection Vulnerability" issue.
+
 = 1.1.8 =
 * fixed "select2 xss" issue.

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker targets one of the plugin's registered unauthenticated AJAX actions, such as `vxcf_mailchimp_test_connection`. First, the attacker must obtain a valid security nonce (e.g., `vxcf_mailchimp_ajax_nonce`), which is commonly exposed in the source code of frontend pages containing integrated forms (like Contact Form 7). Using this nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `info` or other vulnerable parameter set to a URL-encoded serialized PHP object. If a suitable POP chain exists in the site's active plugins or themes, the deserialization will trigger magic methods (like `__destruct` or `__wakeup`), leading to consequences such as arbitrary file deletion or remote code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.