What is the CVSS score of CVE-2026-2599?

CVE-2026-2599 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-2599?

A critical vulnerability (CVSS 9.8) affecting popular WordPress form plugins allows attackers to inject malicious PHP code through the CSV download feature, potentially compromising WordPress sites…

How to fix or mitigate CVE-2026-2599?

Within 24 hours: Identify all affected WordPress installations running vulnerable plugin versions and disable the CSV download functionality if operationally feasible, or restrict access to authenticated administrators only. Within 7 days: Implement Web Application Firewall (WAF) rules to block suspicious serialized object patterns in download_csv requests, and apply network segmentation to isolate WordPress environments. Within 30 days: Monitor vendor repositories closely for security patches and prepare expedited deployment procedures; consider migrating to alternative form plugins if vendors do not release timely patches.

PHP CVE-2026-2599

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-03-05 security@wordfence.com

WordPress PHP Deserialization Information Disclosure

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 05, 2026 - 13:16 nvd

CRITICAL 9.8

DescriptionCVE.org

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

AnalysisAI

PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted request to download_csv endpoint

Delivery

Trigger PHP object deserialization

Exploit

Inject malicious serialized object

Execution

Activate POP chain in installed plugin

Impact

Execute arbitrary code

Access

Send crafted request to download_csv endpoint

Delivery

Trigger PHP object deserialization

Exploit

Inject malicious serialized object

Execution

Activate POP chain in installed plugin

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	Vulnerable form plugin (version ≤1.4.7) installed and active; additional plugin or theme with exploitable POP chain present on WordPress installation; download_csv endpoint accessible to unauthenticated users. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Object injection via form data.
Remediation	Update. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected WordPress installations running vulnerable plugin versions and disable the CSV download functionality if operationally feasible, or restrict access to authenticated administrators only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2026-2599 vulnerability details – vuln.today

Back

PHP CVE-2026-2599

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code