[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzXgqqiHhc_ZcGwMpSo8e2EkCL-LnsFX9RgyZiBoMbo8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-49109","integration-for-salesforce-and-contact-form-7-wpforms-elementor-formidable-ninja-forms-unauthenticated-php-object-inject","Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms \u003C= 1.4.3 - Unauthenticated PHP Object Injection","The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.3 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-salesforce",null,"\u003C=1.4.3","1.4.4","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:43:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4eedc291-7fa3-4c47-8edb-3a3edade96d6?source=api-prod",5,[22,23,24],"api\u002Fapi.php","cf7-salesforce.php","readme.txt","researched",false,3,"This exploitation research plan targets **CVE-2026-49109** (Integration for Salesforce and Contact Form 7), an unauthenticated PHP Object Injection vulnerability in the `cf7-salesforce` plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of API configuration data during initialization. The plugin's base class `vxcf_sales` contains a helper method `post()` (used throughout the API logic) that processes request parameters. This method improperly uses `maybe_unserialize()` or `unserialize()` on base64-encoded user input. Because this processing is triggered during the `init` hook before authentication is checked, an unauthenticated attacker can inject arbitrary PHP objects into the application scope.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Any WordPress frontend or backend URL (triggers the `init` hook).\n*   **Vulnerable Action:** The `vxcf_sales::init()` hook calls `vxcf_sales::plugin_api()`, which handles OAuth 2.0 callbacks and API tests.\n*   **Parameters:** `code` (trigger), `instance_url` (payload carrier), and potentially `access_token` or `refresh_token`.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow\n1.  **Entry Point:** The `vxcf_sales::instance()` method registers `setup_main` on `plugins_loaded`.\n2.  **Hook Trigger:** `setup_main` registers `vxcf_sales::init` on the `init` hook (`cf7-salesforce.php`).\n3.  **Path to Sink:**\n    *   `vxcf_sales::init()` calls `$this->plugin_api(true)`.\n    *   `plugin_api()` (in `includes\u002Fplugin-api.php` or main class) detects the presence of OAuth parameters in `$_REQUEST`.\n    *   It instantiates `vxcf_sales_api` (found in `api\u002Fapi.php`) and calls `handle_code()`.\n    *   `vxcf_sales_api::handle_code()` calls `$this->post('instance_url', $token)`.\n4.  **The Sink:** The method `vxcf_sales::post()` (inherited from the base class) takes the value from `$_POST['instance_url']`, base64 decodes it, and passes it to `maybe_unserialize()` (inferred based on plugin family behavior and the CVE description).\n\n### 4. Nonce Acquisition Strategy\nThe Oauth callback path used in `handle_code()` typically does not require a nonce because it is designed to receive external requests from Salesforce. However, if a nonce is required for the `plugin_api` path, follow these steps:\n\n1.  **Identify Shortcode:** The plugin uses shortcodes to display forms. Based on the plugin slug, the likely shortcode is `[vxcf_salesforce]`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Salesforce Test\" --post_status=publish --post_content='[vxcf_salesforce]'\n    ```\n3.  **Extract Nonce:** Navigate to the new page and look for localized script data.\n    *   **JS Variable:** `vxcf_salesforce_obj` or `vxcf_salesforce_vars` (inferred).\n    *   **Command:** `browser_eval(\"window.vxcf_salesforce_obj?.nonce\")`\n4.  **Verification:** Check `api\u002Fapi","The Integration for Salesforce and Contact Form 7 plugin is vulnerable to unauthenticated PHP Object Injection due to the unsafe use of maybe_unserialize() on user-provided input during initialization. By sending a crafted request with serialized PHP objects, an attacker can trigger instantiation of those objects, potentially leading to remote code execution if a suitable POP chain exists in the environment.","\u002F\u002F cf7-salesforce.php line 949\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.3\u002Fapi\u002Fapi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.4\u002Fapi\u002Fapi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.3\u002Fapi\u002Fapi.php\t2025-02-17 09:51:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.4\u002Fapi\u002Fapi.php\t2025-05-22 12:01:22.000000000 +0000\n@@ -1366,7 +1366,7 @@\n       }\n   } \n   if(is_array($field_val)){ \n-      $field_val=implode(', ',$field_val);\n+      $field_val=implode('; ',$field_val); \u002F\u002FREMOVED , @april-25 ; shows links for multiple files in textarea field while , does not convert to links\n   }\n   $sf_fields[$field_key]=$field_val;      \n   }   \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.3\u002Fcf7-salesforce.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.4\u002Fcf7-salesforce.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.3\u002Fcf7-salesforce.php\t2025-02-17 09:51:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-salesforce\u002F1.4.4\u002Fcf7-salesforce.php\t2025-05-22 12:01:22.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form Salesforce\n * Description: Integrates Contact Form 7 , \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Salesforce allowing form submissions to be automatically sent to your Salesforce account \n-* Version: 1.4.3\n+* Version: 1.4.4\n * Requires at least: 4.7\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-salesforce-plugin\u002F\n@@ -23,7 +23,7 @@\n   public  $crm_name = \"salesforce\";\n   public  $id = \"vxcf_sales\";\n   public  $domain = \"vxcf-sales\";\n-  public  $version = \"1.4.3\";\n+  public  $version = \"1.4.4\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public  $type = \"vxcf_sales\";\n@@ -949,7 +949,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);\n      }\n   }else if(isset($_REQUEST[$field_id])){\n     $value=$this->post($field_id);","The vulnerability can be exploited by an unauthenticated attacker because the plugin processes API configuration data on every page load via the 'init' hook. \n\n1. Target Endpoint: Any public-facing URL or admin URL that triggers the WordPress 'init' hook.\n2. Methodology: The attacker identifies that the plugin's `vxcf_sales::init()` method calls `plugin_api(true)`. This method checks for specific request parameters (like 'code', 'instance_url', or 'access_token') used in the Salesforce OAuth 2.0 flow.\n3. Payload: The attacker sends a GET or POST request containing a serialized PHP object payload in one of these parameters (e.g., `?code=trigger&instance_url=O:8:\"YourPOPChain\":...`).\n4. Sink: The plugin retrieves the parameter value and passes it through `maybe_unserialize()`, which executes the deserialization and instantiates the object. \n5. Requirements: No authentication or nonces are required, as the OAuth callback path is intended for external API interaction.","gemini-3-flash-preview","2026-06-26 04:44:27","2026-06-26 04:46:13",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-salesforce\u002Ftags\u002F1.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-salesforce.1.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-salesforce\u002Ftags\u002F1.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-salesforce.1.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-salesforce\u002Ftags"]