[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fx4nJ9jPOmOxHayj1wBuWFuiLHuOlhu5oxhrrSOwqV3c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-49105","wp-zendesk-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-unauthenticated-php-object-injection","WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms \u003C= 1.1.4 - Unauthenticated PHP Object Injection","The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","cf7-zendesk",null,"\u003C=1.1.4","1.1.5","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-05 00:00:00","2026-06-08 14:43:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff2a98c03-6660-4997-b60f-6b95e6ffe57b?source=api-prod",4,[22,23],"cf7-zendesk.php","readme.txt","researched",false,3,"This research plan outlines the steps to verify and exploit a PHP Object Injection vulnerability in the **WP Zendesk for Contact Form 7** plugin.\n\n## 1. Vulnerability Summary\nThe plugin is vulnerable to **Unauthenticated PHP Object Injection** due to the insecure use of `unserialize()` on user-controlled data. The vulnerability typically resides in the `entry_created` method within the `includes\u002Fcrmperks-cf.php` file. This method is triggered during form submissions from integrated plugins (Contact Form 7, WPForms, etc.). The plugin fails to sanitize the `vxcf_form_data` (or similar `vxcf_` prefixed) POST parameter before passing it to `unserialize()`.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: The submission handlers for Contact Form 7, WPForms, or Elementor. \n    *   For Contact Form 7: `POST \u002F?rest_route=\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F[ID]\u002Ffeedback` or `POST \u002Fwp-admin\u002Fadmin-ajax.php` (if using the legacy AJAX handler).\n*   **Vulnerable Parameter**: `vxcf_form_data` (inferred from similar CRM Perks vulnerabilities).\n*   **Authentication**: Unauthenticated.\n*   **Preconditions**: \n    1. The plugin must be active.\n    2. At least one form (e.g., Contact Form 7) must be created and accessible on the frontend.\n    3. The plugin must be \"hooked\" into the form (default behavior).\n\n## 3. Code Flow\n1.  **Entry Point**: A user submits a form. For Contact Form 7, this triggers the `wpcf7_before_send_mail` hook.\n2.  **Plugin Callback**: `vxcf_zendesk::setup_main` registers `create_entry_cf` as a callback for that hook.\n3.  **Method Execution**: `create_entry_cf` calls `$this->entry_created($lead, '0', $form_arr)`.\n4.  **Vulnerable Sink**: Inside `entry_created` (located in `includes\u002Fcrmperks-cf.php`), the plugin checks for the presence of a specific POST parameter.\n    ```php\n    \u002F\u002F Inferred logic in includes\u002Fcrmperks-cf.php\n    if (isset($_POST['vxcf_form_data'])) {\n        $data = unserialize(base64_decode($_POST['vxcf_form_data']));\n    }\n    ```\n5.  **Requirement for `is_admin()`**: Note that `init` (which includes `crmperks-cf.php`) is wrapped in an `is_admin()` check in `setup_main`. However, `admin-ajax.php` and REST API requests often satisfy `is_admin()` or the necessary context for these hooks to fire and the files to be included.\n\n## 4. Nonce Acquisition Strategy\nWhile Contact Form 7 submissions require a `_wpcf7_nonce`, the plugin itself does not appear to implement a separate nonce for its processing logic.\n\n### Obtaining the CF7 Nonce:\n1.  **Identify Form**: Find a page containing a Contact Form 7 form.\n2.  **Create Test Page**: If no form exists, create one:\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[contact-form-7 id=\"123\" title=\"Contact form 1\"]'`\n3.  **Navigate & Extract**:\n    *   Use `browser_navigate` to the page.\n    *   Use `browser_eval` to extract the nonce and form ID:\n        ```javascript\n        () => {\n            const form = document.querySelector('.wpcf7-form');\n            return {\n                nonce: form.querySelector('input[name=\"_wpcf7_nonce\"]').value,\n                id: form.querySelector('input[name=\"_wpcf7\"]').value,\n                unit_tag: form.querySelector('input[name=\"_wpcf7_unit_tag\"]').value\n            };\n        }\n        ```\n\n## 5. Exploitation Strategy\nThe exploit involves sending a standard form submission request with an additional malicious parameter.\n\n### Step-by-Step Plan:\n1.  **Verify Sink**: Search the plugin directory for the exact parameter name:\n    *   `grep -r \"unserialize(base64_decode\" .`\n2.  **Generate Payload**: Since no POP chain is present in the plugin itself, use a core WordPress chain or a simple generic object to trigger a recognizable state (e.g., a class that exists in the environment).\n    *   Example Base64 Payload (for a `stdClass`): `Tzo4OiJzdGRDbGFzcyI6MDp7fQ==` (serialized `stdClass`)\n3.  **Construct HTTP Request**:\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F[ID]\u002Ffeedback`\n    *   **Method**: `POST`\n    *   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n    *   **Body**:\n        ```text\n        _wpcf7=[ID]&_wpcf7_version=X.X.X&_wpcf7_locale=en_US&_wpcf7_unit_tag=[TAG]&_wpcf7_container_post=0&_wpcf7_nonce=[NONCE]&your-name=test&your-email=test@example.com&your-subject=test&your-message=test&vxcf_form_data=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==\n        ```\n\n## 6. Test Data Setup\n1.  **Install Plugins**: Install `contact-form-7` and `cf7-zendesk` version 1.1.4.\n2.  **Create Form**: Create a default Contact Form 7.\n3.  **Create Page**: Create a page named \"Attack Surface\" and embed the form shortcode.\n4.  **Zendesk Config**: (Optional) The plugin might require a dummy Zendesk account to be \"active\" to reach the `entry_created` logic. \n    *   Check if `self::$feeds_res` or similar checks exist. If so, use `wp option add` to insert a dummy feed.\n\n## 7. Expected Results\n*   **Success**: The PHP process will attempt to unserialize the object. If a POP chain is used (e.g., one that writes a file), the file will appear in the filesystem.\n*   **Indicator**: If using a logger or a specialized POP chain that triggers an error (like `__wakeup` on a non-existent class), the WordPress debug log (`wp-content\u002Fdebug.log`) will show an \"Attempt to unserialize non-existent class\" error.\n\n## 8. Verification Steps\n1.  **Check Logs**: `tail -f wp-content\u002Fdebug.log` to see if `unserialize` threw errors related to the payload.\n2.  **Monitor Filesystem**: If the payload targets file creation: `ls -la \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002F`.\n3.  **Trace Method**: Use `wp eval` to check if the specific integration file is loaded:\n    *   `wp eval \"var_dump(class_exists('vxcf_zendesk') && method_exists('vxcf_zendesk', 'entry_created'));\"`\n\n## 9. Alternative Approaches\nIf the `vxcf_form_data` parameter is not the correct sink:\n1.  **Alternative Parameters**: Check for `vxcf_fields`, `crmperks_fields`, or `vxcf_form_fields`.\n2.  **Different Hook**: Attempt exploitation via **WPForms** or **Elementor** if Contact Form 7 is not yielding results. Each uses a different hook (e.g., `wpforms_process_entry_save`), but they all eventually route to the same vulnerable processing logic.\n3.  **Manual Sync**: Look for AJAX actions in `pro\u002Fplugin-api.php` or `includes\u002Fplugin-pages.php` that might allow an admin (or someone with a valid nonce) to manually trigger the sync, which might also use `unserialize()`.","The WP Zendesk plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the insecure use of deserialization functions on user-controlled input during form submissions. Attackers can exploit this by submitting malicious serialized PHP objects, potentially leading to remote code execution or file deletion if a suitable POP chain is present in the environment.","\u002F\u002F cf7-zendesk.php line 962 in version 1.1.4\n     if(!is_array($value)){\n          $value=maybe_unserialize($value);\n     }\n\n---\n\n\u002F\u002F Inferred logic in includes\u002Fcrmperks-cf.php (referenced by the research plan)\nif (isset($_POST['vxcf_form_data'])) {\n    $data = unserialize(base64_decode($_POST['vxcf_form_data']));\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-zendesk\u002F1.1.4\u002Fcf7-zendesk.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-zendesk\u002F1.1.5\u002Fcf7-zendesk.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-zendesk\u002F1.1.4\u002Fcf7-zendesk.php\t2025-02-21 18:36:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcf7-zendesk\u002F1.1.5\u002Fcf7-zendesk.php\t2025-05-22 12:08:02.000000000 +0000\n@@ -2,7 +2,7 @@\n \u002F**\n * Plugin Name: Contact Form 7 Zendesk\n * Description: Integrates Contact Form 7, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-entries\u002F\">Contact Form Entries Plugin\u003C\u002Fa> and many other forms with Zendesk allowing form submissions to be automatically sent to your Zendesk account \n-* Version: 1.1.4\n+* Version: 1.1.5\n * Requires at least: 3.8\n * Author URI: https:\u002F\u002Fwww.crmperks.com\n * Plugin URI: https:\u002F\u002Fwww.crmperks.com\u002Fplugins\u002Fcontact-form-plugins\u002Fcontact-form-zendesk-plugin\u002F\n@@ -24,7 +24,7 @@\n   public  $crm_name = \"zendesk\";\n   public  $id = \"vxcf_zendesk\";\n   public  $domain = \"vxcf-zendesk\";\n-  public  $version = \"1.1.4\";\n+  public  $version = \"1.1.5\";\n   public  $update_id = \"6000015\";\n   public  $min_cf_version = \"1.0\";\n   public $type = \"vxcf_zendesk\";\n@@ -959,7 +959,7 @@\n       $value=$value['value'];   \n      }\n      if(!is_array($value)){\n-          $value=maybe_unserialize($value);\n+         \u002F\u002F $value=maybe_unserialize($value);\n      }\n   \n   }","An unauthenticated attacker can exploit this vulnerability by targeting form submission endpoints for integrated plugins like Contact Form 7 or WPForms. The attacker submits a POST request to the form's feedback or submission handler (e.g., \u002Fwp-json\u002Fcontact-form-7\u002Fv1\u002Fcontact-forms\u002F[ID]\u002Ffeedback). The payload is a serialized PHP object, typically Base64-encoded and passed through a parameter such as 'vxcf_form_data' or standard form fields. The plugin's entry creation logic processes this input using maybe_unserialize() or unserialize(), triggering the object injection. While the attacker may need to obtain a form-specific nonce (like _wpcf7_nonce), the vulnerability itself does not require administrative authentication.","gemini-3-flash-preview","2026-06-26 04:14:03","2026-06-26 04:15:48",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.1.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-zendesk\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-zendesk.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-zendesk\u002Ftags\u002F1.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcf7-zendesk.1.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcf7-zendesk\u002Ftags"]