[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fyEIIg2wXyky_0AKMdCjZXDUruRdSdKjiCsPzUZmmbd0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-32484","weforms-easy-drag-drop-contact-form-builder-for-wordpress-unauthenticated-php-object-injection","weForms – Easy Drag & Drop Contact Form Builder For WordPress \u003C= 1.6.26 - Unauthenticated PHP Object Injection","The weForms – Easy Drag & Drop Contact Form Builder For WordPress plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.26 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","weforms",null,"\u003C=1.6.26","1.6.27","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-23 00:00:00","2026-04-02 15:15:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4bc15539-d816-4873-9684-862c7c9fcda7?source=api-prod",11,[22,23,24,25,26,27],"includes\u002Fadmin\u002Fclass-privacy.php","includes\u002Fapi\u002Fclass-weforms-forms-controller.php","includes\u002Fclass-ajax.php","includes\u002Fclass-form-entry.php","includes\u002Fclass-form.php","includes\u002Ffunctions.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32484 (weForms Object Injection)\n\n## 1. Vulnerability Summary\nThe **weForms** plugin (\u003C= 1.6.26) is vulnerable to **Unauthenticated PHP Object Injection**. The vulnerability exists because the plugin's entry-handling logic retrieves submitted form data from the database and passes it directly to `unserialize()` or `maybe_unserialize()` when instantiating a `WeForms_Form_Entry` object. Since an unauthenticated user can submit form entries, they can inject a serialized PHP object payload into a field that the plugin later deserializes.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `weforms_frontend_submit` (registered via `wp_ajax_nopriv_weforms_frontend_submit` in `includes\u002Fclass-ajax.php`)\n- **Vulnerable Parameter**: Within the `form_data` POST parameter, any field name corresponding to a `multiple_product` or `image_upload` field type.\n- **Authentication**: None required (Unauthenticated).\n- **Preconditions**: A published form must exist containing at least one field of type `multiple_product`, `image_upload`, or `file_upload`.\n\n## 3. Code Flow\n1. **Entry Point**: `WeForms_Ajax::handle_frontend_submission()` is called via AJAX.\n2. **Processing**: The function parses `$_","The weForms plugin is vulnerable to Unauthenticated PHP Object Injection because it uses unserialize() and maybe_unserialize() on user-controllable form entry data stored in the database. An attacker can submit a malicious serialized PHP object through specific form fields, which is later deserialized when an administrator views the entry or when the system processes the entry data.","\u002F\u002F includes\u002Fclass-form-entry.php\n\n } elseif ( in_array( $field['type'], [ 'image_upload', 'file_upload' ] ) ) {\n $file_field = '';\n $value = maybe_unserialize( $value );\n\n---\n\n\u002F\u002F includes\u002Fclass-form-entry.php line 199\n\n } elseif ( $field['type'] == 'multiple_product' ) {\n $field_value = unserialize( $value );\n\n---\n\n\u002F\u002F includes\u002Fclass-ajax.php line 523\n\n $payment = $entry->get_payment_data();\n\n if ( isset( $payment->payment_data ) && is_serialized( $payment->payment_data ) ) {\n $payment->payment_data = unserialize( $payment->payment_data );\n }\n\n---\n\n\u002F\u002F includes\u002Ffunctions.php line 1251\n\nfunction weforms_get_pain_text( $value ) {\n if ( is_serialized( $value ) ) {\n $value = unserialize( $value );\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fadmin\u002Fclass-privacy.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fadmin\u002Fclass-privacy.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fadmin\u002Fclass-privacy.php\t2024-03-20 20:17:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fadmin\u002Fclass-privacy.php\t2026-02-09 15:54:44.000000000 +0000\n@@ -218,7 +218,10 @@\n }\n \n public static function process_payment_data( $payment_data ) {\n- $field_value = unserialize( $payment_data->payment_data );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $field_value = is_serialized( $payment_data->payment_data )\n+ ? @unserialize( $payment_data->payment_data, [ 'allowed_classes' => false ] )\n+ : $payment_data->payment_data;\n \n $serialized_value = [];\n $transaction_data = [];\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fapi\u002Fclass-weforms-forms-controller.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fapi\u002Fclass-weforms-forms-controller.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fapi\u002Fclass-weforms-forms-controller.php\t2020-10-20 13:26:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fapi\u002Fclass-weforms-forms-controller.php\t2026-02-09 15:54:44.000000000 +0000\n@@ -1548,7 +1548,8 @@\n $payment = $entry->get_payment_data();\n \n if ( isset( $payment->payment_data ) && is_serialized( $payment->payment_data ) ) {\n- $payment->payment_data = unserialize( $payment->payment_data );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $payment->payment_data = @unserialize( $payment->payment_data, [ 'allowed_classes' => false ] );\n }\n \n $has_empty = false;\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fclass-ajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fclass-ajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fclass-ajax.php\t2024-02-01 20:47:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fclass-ajax.php\t2026-02-09 15:54:44.000000000 +0000\n@@ -520,7 +520,8 @@\n $payment = $entry->get_payment_data();\n \n if ( isset( $payment->payment_data ) && is_serialized( $payment->payment_data ) ) {\n- $payment->payment_data = unserialize( $payment->payment_data );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $payment->payment_data = @unserialize( $payment->payment_data, [ 'allowed_classes' => false ] );\n }\n \n if ( false === $fields ) {\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fclass-form-entry.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fclass-form-entry.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.26\u002Fincludes\u002Fclass-form-entry.php\t2024-03-20 20:17:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fweforms\u002F1.6.27\u002Fincludes\u002Fclass-form-entry.php\t2026-02-09 15:54:44.000000000 +0000\n@@ -170,7 +170,10 @@\n }\n } elseif ( in_array( $field['type'], [ 'image_upload', 'file_upload' ] ) ) {\n $file_field = '';\n- $value = maybe_unserialize( $value );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $value = is_serialized( $value )\n+ ? @unserialize( $value, [ 'allowed_classes' => false ] )\n+ : $value;\n \n if ( is_array( $value ) && $value ) {\n foreach ( $value as $attachment_id ) {\n@@ -196,7 +199,10 @@\n 'long' => trim( $long ),\n ];\n } elseif ( $field['type'] == 'multiple_product' ) {\n- $field_value = unserialize( $value );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $field_value = is_serialized( $value )\n+ ? @unserialize( $value, [ 'allowed_classes' => false ] )\n+ : $value;\n \n $serialized_value = [];\n \n@@ -218,7 +224,10 @@\n $value = implode( '\u003Cbr> \u003Cbr> ', $serialized_value );\n }\n } elseif ( $field['type'] == 'checkbox_grid' ) {\n- $entry_value = unserialize( $value );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $entry_value = is_serialized( $value )\n+ ? @unserialize( $value, [ 'allowed_classes' => false ] )\n+ : $value;\n \n if ( $entry_value ) {\n $return = '';\n@@ -281,7 +290,10 @@\n $value = $return;\n }\n } elseif ( $field['type'] == 'multiple_choice_grid' ) {\n- $entry_value = unserialize( $value );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $entry_value = is_serialized( $value )\n+ ? @unserialize( $value, [ 'allowed_classes' => false ] )\n+ : $value;\n \n if ( $entry_value ) {\n $return = '';\n@@ -344,7 +356,10 @@\n $value = $return;\n }\n } elseif ( $field['type'] == 'address_field' || is_serialized( $value ) ) {\n- $field_value = unserialize( $value );\n+ \u002F\u002F Security fix: Prevent PHP Object Injection by restricting allowed classes\n+ $field_value = is_serialized( $value )\n+ ? @unserialize( $value, [ 'allowed_classes' => false ] )\n+ : $value;\n \n $serialized_value = [];\n \n@@ -1248,14 +1248,15 @@\n * @return string\n **\u002F\n function weforms_get_pain_text( $value ) {\n- if ( is_serialized( $value ) ) {\n- $value = unserialize( $value );\n- }\n+ \u002F\u002F Security fix: Removed unsafe unserialize() call to prevent PHP Object Injection.\n+ \u002F\u002F WordPress's get_metadata() already handles deserialization safely.\n+ \u002F\u002F Any serialized strings at this point should be treated as untrusted user input.\n \n if ( is_array( $value ) ) {\n $string_value = [];\n foreach ( $value as $key => $single_value ) {\n- if ( is_array( $single_value ) || is_serialized( $single_value ) ) {\n+ \u002F\u002F Only recursively process arrays, not serialized strings\n+ if ( is_array( $single_value ) ) {\n $single_value = weforms_get_pain_text( $single_value );\n }","1. Identify a published weForms form that contains at least one complex field type that results in database serialization (e.g., File Upload, Multiple Products, Checkbox Grid, or Address field).\n2. Construct a malicious serialized PHP object payload designed to trigger a POP chain (if one exists in the environment's themes or other plugins).\n3. Submit the form as an unauthenticated user by sending a POST request to `wp-admin\u002Fadmin-ajax.php` with the action `weforms_frontend_submit`.\n4. In the `form_data` payload, map the malicious serialized string to the field name corresponding to the vulnerable field type.\n5. Wait for an administrator to view the form entries or trigger a system process (like an export or privacy data request) that forces the backend to instantiate a `WeForms_Form_Entry` object, which will trigger the unsafe `unserialize()` call.","gemini-3-flash-preview","2026-04-17 23:20:54","2026-04-17 23:22:03",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.6.26","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fweforms\u002Ftags\u002F1.6.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fweforms.1.6.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fweforms\u002Ftags\u002F1.6.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fweforms.1.6.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fweforms\u002Ftags"]