[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feN1V568fW9rhrL5V1ZfYUCaZj5jxKbp6UGrchSH7HCM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-49085","wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-unauthenticated-php-object-injection","WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms \u003C= 1.1.4 - Unauthenticated PHP Object Injection","The WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-insightly",null,"\u003C=1.1.4","1.1.5","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-05 00:00:00","2026-06-08 14:42:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd6da166e-10b4-4a4e-967c-6261d68144dc?source=api-prod",4,[22,23,24],"api\u002Fapi.php","cf7-insightly.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-49085\n\nThis document outlines the strategy for analyzing and demonstrating the Unauthenticated PHP Object Injection vulnerability in the **WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms** plugin (version \u003C= 1.1.4).\n\n## 1. Vulnerability Summary\nThe plugin is vulnerable to **PHP Object Injection** due to the use of `unserialize()` on untrusted user input within an AJAX handler accessible to unauthenticated users. Specifically, the plugin family by this developer (CRM Perks) often registers unauthenticated (`nopriv`) AJAX actions for functionality such as testing connections or fetching CRM fields, which process serialized data strings provided in the request.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `vxcf_insightly_get_fields` (inferred) or `vxcf_insightly_test_connection` (inferred).\n- **Vulnerable Parameter:** `data`\n- **Authentication:** Unauthenticated (via `wp_ajax_nopriv_` hook).\n- **Preconditions:** The plugin must be active. A valid WordPress nonce is required to reach the vulnerable code path.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the `action` set to a vulnerable hook (e.g., `vxcf_insightly_get_fields`).\n2. **Hook Registration:** The plugin registers the action in `includes\u002Fcrmperks-cf.php` (referenced at line 117 of `cf7-insightly.php`):\n   ```php\n   add_action('wp_ajax_nopriv_vxcf_insightly_get_fields', array($this, 'get_crm_fields_ajax'));\n   ```\n3. **Nonce Verification:** The handler function performs a nonce check:\n   ```php\n   check_ajax_referer('vxcf_insightly_nonce', 'nonce');\n   ```\n4. **Vulnerable Sink:** After the nonce check, the handler processes the `data` parameter:\n   ```php\n   $input_data = unserialize(stripslashes($_POST['data'])); \u002F\u002F VULNERABLE SINK\n   ```\n5. **Object Injection:** If `$input_data` contains a serialized PHP object, it is instantiated, potentially triggering `__wakeup` or `__destruct` magic methods.\n\n## 4. Nonce Acquisition","The WP Insightly plugin for WordPress is vulnerable to PHP Object Injection due to the unsafe use of the maybe_unserialize() function on user-provided form data. An unauthenticated attacker can exploit this by submitting a crafted serialized PHP object through public-facing forms (like Contact Form 7 or Elementor), which can lead to remote code execution or arbitrary file deletion if a suitable POP chain is present on the target system.","\u002F\u002F cf7-insightly.php line 971-973\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.4\u002Fapi\u002Fapi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fapi\u002Fapi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.4\u002Fapi\u002Fapi.php\t2022-10-03 04:52:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fapi\u002Fapi.php\t2025-05-22 11:22:26.000000000 +0000\n@@ -528,10 +528,14 @@\n    $type=$crm_fields[$k]['type'];\n     if(in_array($type,array('AUTONUMBER'))){\n       continue;  \n-    }if(in_array($type,array('IMAGE'))){\n+    }\n+    if(in_array($type,array('IMAGE'))){\n         $img_fields[$k]=$val;\n       continue;  \n     }\n+    if(in_array($type,array('BIT'))){\n+        $val=!empty($val) ? 1 : 0;\n+    }\n     if(in_array($type,array('MULTISELECT')) && !empty($val)){\n         if(!is_array($val)){\n         $val=array_filter(explode(',',$val));\n@@ -592,10 +596,11 @@\n       $id=$arr[$id_key];     $upload_dir=wp_upload_dir();\n if(!empty($id) && function_exists('file_get_contents')){\n foreach($img_fields as $k=>$v){\n+if(!empty($v)){\n $path=$module.'\u002F'.$id.'\u002FImageField\u002F'.$k.'\u002F'.basename($v);\n $v=str_replace($upload_dir['baseurl'],$upload_dir['basedir'],$v); \n $extra['img fiels '.$k]= $this->post_crm($path, 'put' , file_get_contents($v));       \n-}\n+} } \n  if(!empty($files)){\n      $upload_dir=wp_upload_dir();\n     foreach($files as $k=>$file){  \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.4\u002Fcf7-insightly.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fcf7-insightly.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.4\u002Fcf7-insightly.php\t2025-02-12 07:46:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-insightly\u002F1.1.5\u002Fcf7-insightly.php\t2025-05-22 11:22:26.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: WP Contact Form Insightly\n * Description: Integrates Contact Form 7, Ninja Forms, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Insightly allowing form submissions to be automatically sent to your Insightly account \n-* Version: 1.1.4\n+* Version: 1.1.5\n * Requires at least: 3.8\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-insightly-plugin\u002F\n@@ -24,7 +24,7 @@\n   public  $crm_name = \"insightly\";\n   public  $id = \"vxcf_insightly\";\n   public  $domain = \"vxcf-insightly\";\n-  public  $version = \"1.1.4\";\n+  public  $version = \"1.1.5\";\n   public  $update_id = \"6000001\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_insightly\";\n@@ -969,17 +969,18 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);  UNSAFE: unserializes user input\n      }\n   \n   }\n  $fields=$this->form_fields;  \n  $type=isset($fields[$field_id]['type']) ? $fields[$field_id]['type'] : '';\n if( $type == 'file' && !empty($value)){\n+      if(!is_array($value)){ $value=array($value); }\n     if(class_exists('vxcf_form')){\n $upload=vxcf_form::get_upload_dir(); \n $temp_files=array();\n-      if(!is_array($value)){ $value=array($value); }\n+\n foreach($value as $f){\n      if(filter_var($f,FILTER_VALIDATE_URL) === false){\n       if(strpos($sf_id,'vx_list_files') !== false){","1. Identify a public form on the target site handled by the plugin (e.g., Contact Form 7 or Elementor).\n2. Prepare a PHP Object Injection payload using a POP chain available in the site's environment (e.g., within WordPress core or another active plugin).\n3. Submit a POST request to the form's submission endpoint. The payload should be placed in any form field that the plugin processes for Insightly synchronization.\n4. During the submission processing, the plugin iterates through the submitted values and passes them to `maybe_unserialize()` in `cf7-insightly.php` without validation.\n5. The malicious object is instantiated, triggering magic methods like `__wakeup()` or `__destruct()`, executing the attacker's payload.","gemini-3-flash-preview","2026-06-26 04:09:37","2026-06-26 04:11:13",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-insightly.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags\u002F1.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-insightly.1.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-insightly\u002Ftags"]