Skip to main content

Integration for Contact Form 7 and Constant Contact CVE-2026-49106

| EUVD-2026-36883 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-6jc2-r4qg-63mf
PHP Deserialization Integration For Contact Form 7 And Constant Contact
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable WordPress endpoint (AV:N/PR:N/UI:N), straightforward serialized payload (AC:L); deserialization with gadget chain typically yields full CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:34 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Delivery
Craft serialized PHP object with POP gadget
Exploit
Send unauthenticated HTTP request to plugin endpoint
Execution
Trigger unserialize() on attacker payload
Persist
Gadget chain executes file write or command
Impact
Achieve RCE as web server user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to have the 'Integration for Contact Form 7 and Constant Contact' plugin installed and active at version 1.1.6 or earlier, with the vulnerable endpoint reachable over the network (which it is by default, since the CVSS vector is AV:N/PR:N/UI:N - no authentication or user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H gives a 9.8 Critical score: network reachable, low complexity, no privileges, no user interaction, full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP request to a public WordPress endpoint exposed by the vulnerable plugin, embedding a crafted serialized PHP object string in a parameter the plugin passes to unserialize(). When deserialized, the object's magic methods trigger a POP gadget chain from WordPress core or another installed plugin/theme, leading to arbitrary file write or command execution under the web server user. …
Remediation Released patched version not independently confirmed from the provided data - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cf7-constant-contact/vulnerability/wordpress-integration-for-contact-form-7-and-constant-contact-plugin-1-1-6-php-object-injection-vulnerability) should be consulted for the fixed release, and administrators should upgrade to any version above 1.1.6 published by CRM Perks. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress environments to identify deployed instances and versions of 'Integration for Contact Form 7 and Constant Contact'; immediately disable the plugin to prevent exploitation; review access logs for suspicious plugin-directed traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-49106 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy