Skip to main content

Integration for Mailchimp CVE-2026-49765

| EUVD-2026-36889 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-3f48-hjp5-xvrg
PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable deserialization sink (AV:N, PR:N, UI:N), but practical RCE depends on finding a usable POP gadget chain, warranting AC:H over the assigned AC:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:30 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Fingerprint vulnerable plugin on target site
Delivery
Craft serialized PHP payload with POP gadget chain
Exploit
Send unauthenticated HTTP request to plugin endpoint
Install
Trigger unserialize() on attacker-controlled input
C2
Magic method executes gadget chain
Execute
Write webshell or execute arbitrary PHP
Impact
Full site compromise and data exfiltration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default installations of the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin at version 1.1.8 or earlier, with no user interaction required (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network-reachable, low-complexity, unauthenticated exploitation with full CIA impact - a worst-case profile typical of WordPress plugin PHP Object Injection bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the vulnerable plugin (fingerprintable via static assets or REST routes) and sends an unauthenticated HTTP request to a plugin endpoint that passes user input into unserialize(). The serialized payload references a class with an exploitable magic method present in WordPress core or another installed plugin, chaining gadgets to write a PHP webshell to wp-content or execute arbitrary code. …
Remediation Patch available per vendor advisory: upgrade the plugin to a version newer than 1.1.8 as soon as CRM Perks publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cf7-mailchimp/vulnerability/wordpress-integration-for-mailchimp-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-8-php-object-injection-vulnerability for the confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: audit all WordPress installations for this plugin; immediately disable or remove affected versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-49765 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy