[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feAUl8bjmPAkIFrrW6GZYAWDxxRTnCPYQuBKCmh3N5OA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-49765","integration-for-mailchimp-and-contact-form-7-wpforms-elementor-ninja-forms-unauthenticated-php-object-injection","Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms \u003C= 1.1.8 - Unauthenticated PHP Object Injection","The Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.8 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-mailchimp",null,"\u003C=1.1.8","1.1.9","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:44:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F68c5d9ad-f6ca-4a3a-b3fc-6b8997a86981?source=api-prod",5,[22,23,24],"api\u002Fapi.php","cf7-mailchimp.php","readme.txt","researched",false,3,"This research plan outlines the technical steps required to exploit the **unauthenticated PHP Object Injection** vulnerability (CVE-2026-49765) in the **Integration for Mailchimp and Contact Form 7** plugin.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** PHP Object Injection\n*   **Root Cause:** The plugin registers unauthenticated AJAX handlers that process user-supplied data through `maybe_unserialize()` or `unserialize()` without sufficient validation or integrity checks (like HMAC).\n*   **Sink:** `maybe_unserialize(stripslashes($_POST['info']))` or similar.\n*   **Affected File:** Likely `includes\u002Fcrmperks-cf.php` or `cf7-mailchimp.php` (AJAX handler definitions).\n*   **Severity:** High (8.1) — While no POP chain is inherent to the plugin, it can leverage chains in WordPress core or other active plugins\u002Fthemes.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `vxcf_mailchimp_test_connection` (Inferred based on vendor patterns) or `vxcf_mailchimp_get_crm_fields`.\n*   **Authentication:** None (registered via `wp_ajax_nopriv_`).\n*   **Parameter:** `info` (contains the serialized object).\n*   **Nonce:** Required (`vxcf_mailchimp_ajax_nonce`).\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the `action` parameter set to `vxcf_mailchimp_test_connection`.\n2.  **Hook Trigger:** WordPress triggers the function hooked to `wp_ajax_nopriv_vxcf_mailchimp_test_connection`.\n3.  **Nonce Validation:** The handler calls `check_ajax_referer('vxcf_mailchimp_ajax_nonce', 'nonce')`.\n4.  **Vulnerable Sink:** The handler retrieves `$_POST['info']`, strips slashes, and passes it to `maybe_unserialize()`.\n5.  **Execution:** If a POP chain is available, the `__wakeup()` or `__destruct()` magic methods are triggered upon deserialization.\n\n### 4. Nonce Acquisition Strategy\nThe plugin localizes the nonce for its AJAX operations. Because this plugin supports form integrations, the script and its associated nonce are often enqueued on the frontend where forms (like Contact Form 7) are present.\n\n1.  **Identify Nonce Source:** The nonce is localized in a global JavaScript object, typically `vxcf_mailchimp_vars`.\n2.  **Trigger Script Loading:** Create a page with a Contact Form 7 shortcode to ensure the plugin's frontend assets are loaded.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[contact-form-7 id=\"123\"]'`\n3.  **Extraction:**\n    *   Navigate to the page.\n    *   Run in console: `browser_eval(\"window.vxcf_mailchimp_vars?.ajax_nonce\")`.\n4.  **Alternate Nonce Name:** If the above fails, check for `vxcf_mailchimp_ajax_nonce` or look for `wp_localize_script` calls in the plugin source using:\n    *   `grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcf7-mailchimp\u002F`\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover the exact AJAX Action\nSearch the plugin code for `wp_ajax_nopriv` to confirm the target action name:\n```bash\ngrep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcf7-mailchimp\u002F\n```\n\n#### Step 2: Craft the Payload\nSince no internal POP chain is confirmed, use a generic payload to confirm injection (e.g., triggering a class that exists in the environment). \n\n**Example Payload (Logical Confirmation):**\nIf `vxcf_mailchimp_api` was used as a target for testing (assuming it's loaded):\n`O:20:\"vxcf_mailchimp_api\":1:{s:4:\"info\";a:1:{s:4:\"data\";a:1:{s:7:\"api_key\";s:5:\"a-b-c\";}}}`\n\nTo confirm exploitation in a standard WordPress environment, look for common core chains like `Requests_Utility_FilteredIterator` or `GuzzleHttp\\Cookie\\FileCookieJar` (if Guzzle is present).\n\n#### Step 3: Execute the Request\nUse the `http_request` tool to send the serialized object.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=vxcf_mailchimp_test_connection&nonce=[EXTRACTED_NONCE]&info=[URL_ENCODED_SERIALIZED_OBJECT]\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `cf7-mailchimp` version 1.1.8 is active.\n2.  **Enable Dependencies:** Install and activate Contact Form 7.\n3.  **Create Form Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_content='[contact-form-7 id=\"any\"]'` (This ensures the AJAX nonce is generated and localized).\n\n### 7. Expected Results\n*   **Successful Injection:** The server processes the request. If using a payload that triggers an error or a specific file operation (via a POP chain), that effect should be observable.\n*   **Confirmation:** A successful deserialization often results in a PHP error if the injected object's properties don't match the expected types in the subsequent code (e.g., \"Expected array, object given\"), confirming the object was instantiated.\n\n### 8. Verification Steps\n1.  **Log Analysis:** Check `wp-content\u002Fdebug.log` (if `WP_DEBUG` is on) for errors related to the injected class.\n2.  **System State:** If using a file-deletion POP chain (like `GuzzleHttp\\Cookie\\FileCookieJar`), verify if the target file was deleted.\n3.  **Reflection:** Use a payload that modifies a global or accessible property if a suitable chain exists.\n\n### 9. Alternative Approaches\n*   **Different Sinks:** Check if `vxcf_mailchimp_get_crm_fields` or other AJAX actions use the same `info` parameter and `maybe_unserialize` sink.\n*   **Blind Injection:** Use `O:8:\"stdClass\":0:{}` to test if the basic request structure (action + nonce) is accepted by the server without error.\n*   **Vulnerable Constants:** Check if the plugin defines any constants or loads configuration from files that can be manipulated via the injected object's `__destruct` method.","The Integration for Mailchimp and Contact Form 7 plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to 1.1.8. This occurs because the plugin processes user-supplied data through the `maybe_unserialize()` function without adequate validation, allowing an attacker to inject and instantiate arbitrary PHP objects.","\u002F\u002F File: cf7-mailchimp.php (Line 966-970 in version 1.1.8)\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Fapi\u002Fapi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Fapi\u002Fapi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Fapi\u002Fapi.php\t2024-04-22 11:11:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Fapi\u002Fapi.php\t2025-05-22 12:16:30.000000000 +0000\n@@ -298,8 +298,7 @@\n     $type=$crm_fields[$k]['type']; \n $val=$v['value'];\n \n-if($type == 'birthday'){ $temp_val=strtotime($val); if(!empty($temp_val)){ $val=date('m\u002Fd',$temp_val); } }\n-else if($type == 'gdpr'){\n+ if($type == 'gdpr'){\n  $post['marketing_permissions'][]=array('marketing_permission_id'=>$k,'enabled'=>!empty($v) ? true : false);   \n }elseif($type == 'address'){\n if(strpos($k,'-') !== false){\n@@ -325,7 +324,8 @@\n  } }\n }\n }else{\n-$merge_fields[$k]=$val;      \n+if($type == 'birthday'){ $temp_val=strtotime($val); if(!empty($temp_val)){ $val=date('m\u002Fd',$temp_val); } }\n+    $merge_fields[$k]=$val;      \n }   }\n }\n if(!empty($merge_fields)){\n@@ -345,7 +345,7 @@\n }\n \n } } \n-\u002F\u002F\u002Fvar_dump($post,$meta['groups']); die();\n+\u002F\u002Fvar_dump($post,$meta['groups']); die();\n $link=\"\"; $error=\"\";\n if(!empty($method) && !empty($object_url) ){\n $arr= $this->post_crm($object_url, $method,$post);\n@@ -461,16 +461,12 @@\n return $error;    \n }\n \n-public function post_crm($path,$method,$body=''){\n-       \n+public function post_crm($path,$method,$body=''){   \n       $url=$this->url.$path;   \n     if(is_array($body)&& count($body)>0)\n    { \n-       $body=json_encode($body);\n+       $body=json_encode($body); \n    }\n-       \n-\n-\n      $head=array('Authorization'=> ' apikey ' .$this->api_key); \n        if($method == 'post'){\n        $head['Content-Type']='application\u002Fjson';   \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Fcf7-mailchimp.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Fcf7-mailchimp.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Fcf7-mailchimp.php\t2025-01-19 10:39:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Fcf7-mailchimp.php\t2025-05-22 12:16:30.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form Mailchimp\n * Description: Integrates Contact Form 7, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Mailchimp allowing form submissions to be automatically sent to your Mailchimp account \n-* Version: 1.1.8\n+* Version: 1.1.9\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-mailchimp-plugin\u002F\n * Author: CRM Perks.\n@@ -24,7 +24,7 @@\n   public  $crm_name = \"mailchimp\";\n   public  $id = \"vxcf_mailchimp\";\n   public  $domain = \"vxcf-mailchimp\";\n-  public  $version = \"1.1.8\";\n+  public  $version = \"1.1.9\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_mailchimp\";\n@@ -966,7 +966,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);\n      }\n   \n   }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.8\u002Freadme.txt\t2025-04-24 06:08:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-mailchimp\u002F1.1.9\u002Freadme.txt\t2025-05-22 12:16:30.000000000 +0000\n@@ -3,8 +3,8 @@\n Tags: contact form 7, contact form 7 mailchimp, elementor form mailchimp, mailchimp, ninja forms mailchimp\n Requires at least: 3.8\n Tested up to: 6.8\n-Stable tag: 1.1.8\n-Version: 1.1.8\n+Stable tag: 1.1.9\n+Version: 1.1.9\n Requires PHP: 5.3\n License: GPLv3\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.html\n@@ -193,6 +193,10 @@\n \n == Changelog ==\n \n+= 1.1.9 =\n+* fixed \"birthday field\" issue.\n+* fixed \"PHP Object Injection Vulnerability\" issue.\n+\n = 1.1.8 =\n * fixed \"select2 xss\" issue.","To exploit this vulnerability, an unauthenticated attacker targets one of the plugin's registered unauthenticated AJAX actions, such as `vxcf_mailchimp_test_connection`. First, the attacker must obtain a valid security nonce (e.g., `vxcf_mailchimp_ajax_nonce`), which is commonly exposed in the source code of frontend pages containing integrated forms (like Contact Form 7). Using this nonce, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `info` or other vulnerable parameter set to a URL-encoded serialized PHP object. If a suitable POP chain exists in the site's active plugins or themes, the deserialization will trigger magic methods (like `__destruct` or `__wakeup`), leading to consequences such as arbitrary file deletion or remote code execution.","gemini-3-flash-preview","2026-06-26 04:50:06","2026-06-26 04:51:38",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-mailchimp\u002Ftags\u002F1.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-mailchimp.1.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-mailchimp\u002Ftags\u002F1.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-mailchimp.1.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-mailchimp\u002Ftags"]