CVE-2026-49109

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.4.4
Patched in
5d
Time to patch

Description

The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.4.3
PublishedJune 4, 2026
Last updatedJune 8, 2026
Affected plugincf7-salesforce

What Changed in the Fix

Changes introduced in v1.4.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-49109** (Integration for Salesforce and Contact Form 7), an unauthenticated PHP Object Injection vulnerability in the `cf7-salesforce` plugin. ### 1. Vulnerability Summary The vulnerability exists in the plugin's handling of API configuration data …

Show full research plan

This exploitation research plan targets CVE-2026-49109 (Integration for Salesforce and Contact Form 7), an unauthenticated PHP Object Injection vulnerability in the cf7-salesforce plugin.

1. Vulnerability Summary

The vulnerability exists in the plugin's handling of API configuration data during initialization. The plugin's base class vxcf_sales contains a helper method post() (used throughout the API logic) that processes request parameters. This method improperly uses maybe_unserialize() or unserialize() on base64-encoded user input. Because this processing is triggered during the init hook before authentication is checked, an unauthenticated attacker can inject arbitrary PHP objects into the application scope.

2. Attack Vector Analysis

  • Endpoint: Any WordPress frontend or backend URL (triggers the init hook).
  • Vulnerable Action: The vxcf_sales::init() hook calls vxcf_sales::plugin_api(), which handles OAuth 2.0 callbacks and API tests.
  • Parameters: code (trigger), instance_url (payload carrier), and potentially access_token or refresh_token.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: The vxcf_sales::instance() method registers setup_main on plugins_loaded.
  2. Hook Trigger: setup_main registers vxcf_sales::init on the init hook (cf7-salesforce.php).
  3. Path to Sink:
    • vxcf_sales::init() calls $this->plugin_api(true).
    • plugin_api() (in includes/plugin-api.php or main class) detects the presence of OAuth parameters in $_REQUEST.
    • It instantiates vxcf_sales_api (found in api/api.php) and calls handle_code().
    • vxcf_sales_api::handle_code() calls $this->post('instance_url', $token).
  4. The Sink: The method vxcf_sales::post() (inherited from the base class) takes the value from $_POST['instance_url'], base64 decodes it, and passes it to maybe_unserialize() (inferred based on plugin family behavior and the CVE description).

4. Nonce Acquisition Strategy

The Oauth callback path used in handle_code() typically does not require a nonce because it is designed to receive external requests from Salesforce. However, if a nonce is required for the plugin_api path, follow these steps:

  1. Identify Shortcode: The plugin uses shortcodes to display forms. Based on the plugin slug, the likely shortcode is [vxcf_salesforce].
  2. Create Test Page:
    wp post create --post_type=page --post_title="Salesforce Test" --post_status=publish --post_content='[vxcf_salesforce]'
    
  3. Extract Nonce: Navigate to the new page and look for localized script data.
    • JS Variable: vxcf_salesforce_obj or vxcf_salesforce_vars (inferred).
    • Command: browser_eval("window.vxcf_salesforce_obj?.nonce")
  4. Verification: Check `api/api
Research Findings
Static analysis — not yet PoC-verified

Summary

The Integration for Salesforce and Contact Form 7 plugin is vulnerable to unauthenticated PHP Object Injection due to the unsafe use of maybe_unserialize() on user-provided input during initialization. By sending a crafted request with serialized PHP objects, an attacker can trigger instantiation of those objects, potentially leading to remote code execution if a suitable POP chain exists in the environment.

Vulnerable Code

// cf7-salesforce.php line 949
     if(!is_array($value)){
          $value=maybe_unserialize($value);
     }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.3/api/api.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.4/api/api.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.3/api/api.php	2025-02-17 09:51:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.4/api/api.php	2025-05-22 12:01:22.000000000 +0000
@@ -1366,7 +1366,7 @@
       }
   } 
   if(is_array($field_val)){ 
-      $field_val=implode(', ',$field_val);
+      $field_val=implode('; ',$field_val); //REMOVED , @april-25 ; shows links for multiple files in textarea field while , does not convert to links
   }
   $sf_fields[$field_key]=$field_val;      
   }   
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.3/cf7-salesforce.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.4/cf7-salesforce.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.3/cf7-salesforce.php	2025-02-17 09:51:44.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-salesforce/1.4.4/cf7-salesforce.php	2025-05-22 12:01:22.000000000 +0000
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: WP Contact Form Salesforce
 * Description: Integrates Contact Form 7 , <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Salesforce allowing form submissions to be automatically sent to your Salesforce account 
-* Version: 1.4.3
+* Version: 1.4.4
 * Requires at least: 4.7
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-salesforce-plugin/
@@ -23,7 +23,7 @@
   public  $crm_name = "salesforce";
   public  $id = "vxcf_sales";
   public  $domain = "vxcf-sales";
-  public  $version = "1.4.3";
+  public  $version = "1.4.4";
   public  $update_id = "6000001";
   public  $min_cf_version = "1.0";
   public  $type = "vxcf_sales";
@@ -949,7 +949,7 @@
       $value=$value['value'];   
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value);
      }
   }else if(isset($_REQUEST[$field_id])){
     $value=$this->post($field_id);

Exploit Outline

The vulnerability can be exploited by an unauthenticated attacker because the plugin processes API configuration data on every page load via the 'init' hook. 1. Target Endpoint: Any public-facing URL or admin URL that triggers the WordPress 'init' hook. 2. Methodology: The attacker identifies that the plugin's `vxcf_sales::init()` method calls `plugin_api(true)`. This method checks for specific request parameters (like 'code', 'instance_url', or 'access_token') used in the Salesforce OAuth 2.0 flow. 3. Payload: The attacker sends a GET or POST request containing a serialized PHP object payload in one of these parameters (e.g., `?code=trigger&instance_url=O:8:"YourPOPChain":...`). 4. Sink: The plugin retrieves the parameter value and passes it through `maybe_unserialize()`, which executes the deserialization and instantiates the object. 5. Requirements: No authentication or nonces are required, as the OAuth callback path is intended for external API interaction.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.