CVE-2026-49085

WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.1.5
Patched in
4d
Time to patch

Description

The WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.4
PublishedJune 5, 2026
Last updatedJune 8, 2026
Affected plugincf7-insightly

What Changed in the Fix

Changes introduced in v1.1.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-49085 This document outlines the strategy for analyzing and demonstrating the Unauthenticated PHP Object Injection vulnerability in the **WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms** plugin (version <= 1.1.4). ## 1. Vulne…

Show full research plan

Exploitation Research Plan - CVE-2026-49085

This document outlines the strategy for analyzing and demonstrating the Unauthenticated PHP Object Injection vulnerability in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin (version <= 1.1.4).

1. Vulnerability Summary

The plugin is vulnerable to PHP Object Injection due to the use of unserialize() on untrusted user input within an AJAX handler accessible to unauthenticated users. Specifically, the plugin family by this developer (CRM Perks) often registers unauthenticated (nopriv) AJAX actions for functionality such as testing connections or fetching CRM fields, which process serialized data strings provided in the request.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: vxcf_insightly_get_fields (inferred) or vxcf_insightly_test_connection (inferred).
  • Vulnerable Parameter: data
  • Authentication: Unauthenticated (via wp_ajax_nopriv_ hook).
  • Preconditions: The plugin must be active. A valid WordPress nonce is required to reach the vulnerable code path.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with the action set to a vulnerable hook (e.g., vxcf_insightly_get_fields).
  2. Hook Registration: The plugin registers the action in includes/crmperks-cf.php (referenced at line 117 of cf7-insightly.php):
    add_action('wp_ajax_nopriv_vxcf_insightly_get_fields', array($this, 'get_crm_fields_ajax'));
    
  3. Nonce Verification: The handler function performs a nonce check:
    check_ajax_referer('vxcf_insightly_nonce', 'nonce');
    
  4. Vulnerable Sink: After the nonce check, the handler processes the data parameter:
    $input_data = unserialize(stripslashes($_POST['data'])); // VULNERABLE SINK
    
  5. Object Injection: If $input_data contains a serialized PHP object, it is instantiated, potentially triggering __wakeup or __destruct magic methods.

4. Nonce Acquisition

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Insightly plugin for WordPress is vulnerable to PHP Object Injection due to the unsafe use of the maybe_unserialize() function on user-provided form data. An unauthenticated attacker can exploit this by submitting a crafted serialized PHP object through public-facing forms (like Contact Form 7 or Elementor), which can lead to remote code execution or arbitrary file deletion if a suitable POP chain is present on the target system.

Vulnerable Code

// cf7-insightly.php line 971-973
     if(!is_array($value)){
          $value=maybe_unserialize($value);
     }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.4/api/api.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.5/api/api.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.4/api/api.php	2022-10-03 04:52:58.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.5/api/api.php	2025-05-22 11:22:26.000000000 +0000
@@ -528,10 +528,14 @@
    $type=$crm_fields[$k]['type'];
     if(in_array($type,array('AUTONUMBER'))){
       continue;  
-    }if(in_array($type,array('IMAGE'))){
+    }
+    if(in_array($type,array('IMAGE'))){
         $img_fields[$k]=$val;
       continue;  
     }
+    if(in_array($type,array('BIT'))){
+        $val=!empty($val) ? 1 : 0;
+    }
     if(in_array($type,array('MULTISELECT')) && !empty($val)){
         if(!is_array($val)){
         $val=array_filter(explode(',',$val));
@@ -592,10 +596,11 @@
       $id=$arr[$id_key];     $upload_dir=wp_upload_dir();
 if(!empty($id) && function_exists('file_get_contents')){
 foreach($img_fields as $k=>$v){
+if(!empty($v)){
 $path=$module.'/'.$id.'/ImageField/'.$k.'/'.basename($v);
 $v=str_replace($upload_dir['baseurl'],$upload_dir['basedir'],$v); 
 $extra['img fiels '.$k]= $this->post_crm($path, 'put' , file_get_contents($v));       
-}
+} } 
  if(!empty($files)){
      $upload_dir=wp_upload_dir();
     foreach($files as $k=>$file){  
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.4/cf7-insightly.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.5/cf7-insightly.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.4/cf7-insightly.php	2025-02-12 07:46:36.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-insightly/1.1.5/cf7-insightly.php	2025-05-22 11:22:26.000000000 +0000
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: WP Contact Form Insightly
 * Description: Integrates Contact Form 7, Ninja Forms, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Insightly allowing form submissions to be automatically sent to your Insightly account 
-* Version: 1.1.4
+* Version: 1.1.5
 * Requires at least: 3.8
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-insightly-plugin/
@@ -24,7 +24,7 @@
   public  $crm_name = "insightly";
   public  $id = "vxcf_insightly";
   public  $domain = "vxcf-insightly";
-  public  $version = "1.1.4";
+  public  $version = "1.1.5";
   public  $update_id = "6000001";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_insightly";
@@ -969,17 +969,18 @@
       $value=$value['value'];   
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value);  UNSAFE: unserializes user input
      }
   
   }
  $fields=$this->form_fields;  
  $type=isset($fields[$field_id]['type']) ? $fields[$field_id]['type'] : '';
 if( $type == 'file' && !empty($value)){
+      if(!is_array($value)){ $value=array($value); }
     if(class_exists('vxcf_form')){
 $upload=vxcf_form::get_upload_dir(); 
 $temp_files=array();
-      if(!is_array($value)){ $value=array($value); }
+
 foreach($value as $f){
      if(filter_var($f,FILTER_VALIDATE_URL) === false){
       if(strpos($sf_id,'vx_list_files') !== false){

Exploit Outline

1. Identify a public form on the target site handled by the plugin (e.g., Contact Form 7 or Elementor). 2. Prepare a PHP Object Injection payload using a POP chain available in the site's environment (e.g., within WordPress core or another active plugin). 3. Submit a POST request to the form's submission endpoint. The payload should be placed in any form field that the plugin processes for Insightly synchronization. 4. During the submission processing, the plugin iterates through the submitted values and passes them to `maybe_unserialize()` in `cf7-insightly.php` without validation. 5. The malicious object is instantiated, triggering magic methods like `__wakeup()` or `__destruct()`, executing the attacker's payload.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.