What is the CVSS score of EUVD-2026-36880?

EUVD-2026-36880 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of WP Insightly are affected by EUVD-2026-36880?

The WP Insightly plugin for WordPress (versions 1.1.4 and earlier) contains a critical unauthenticated remote code execution vulnerability that requires no user interaction or credentials to exploit.

How to fix or mitigate EUVD-2026-36880?

Within 24 hours: Inventory all WordPress installations using WP Insightly plugin version 1.1.4 or earlier and disable the plugin immediately. Conduct forensic review of server logs and database for signs of exploitation targeting /wp-json/ endpoints or serialization attacks. Within 7 days: Completely remove the plugin from all systems; audit database for injected code or modified content; review user activity logs for unauthorized access. Within 30 days: Monitor vendor advisory channels for a patched version; implement application-layer firewall rules to block serialization patterns; establish mandatory plugin version verification in deployment procedures.

WP Insightly EUVD-2026-36880

| CVE-2026-49085 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-15 Patchstack

GHSA-mcfw-4jg7-v278

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Unauthenticated network-reachable WordPress plugin endpoint deserializes attacker input, yielding full RCE with high C/I/A impact and no user interaction or privileges required.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 21:35 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Articles & Coverage 1

News Critical PHP Object Injection in WP Insightly Contact Form Plugin <= 1.1.4 - CVE-2026-49085 Jun 15, 2026

AnalysisAI

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running WP Insightly ≤1.1.4

Delivery

Craft serialized PHP object with POP gadget

Exploit

Send unauthenticated request to vulnerable plugin endpoint

Install

Plugin deserializes attacker payload

Gadget chain triggers code execution

Execute

Drop webshell or create admin user

Impact

Full site compromise and data exfiltration

Recon

Identify WordPress site running WP Insightly ≤1.1.4

Delivery

Craft serialized PHP object with POP gadget

Exploit

Send unauthenticated request to vulnerable plugin endpoint

Install

Plugin deserializes attacker payload

Gadget chain triggers code execution

Execute

Drop webshell or create admin user

Impact

Full site compromise and data exfiltration

Vulnerability AssessmentAI

Exploitation	The vulnerable plugin 'WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' must be installed and activated at version 1.1.4 or earlier on a reachable WordPress site, and the attacker must be able to reach the plugin entry point that calls unserialize() on attacker-controlled input (per CVSS PR:N and UI:N, no authentication or user interaction is required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8 (Critical) and is consistent with unauthenticated PHP object injection reachable over the network with low complexity and full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker submits a crafted request (for example to a form-handling AJAX action or REST endpoint exposed by the plugin) containing a serialized PHP object payload in a parameter that the plugin passes to unserialize(). On the target, instantiation triggers a POP gadget chain from WordPress core or another installed plugin, leading to arbitrary file write or PHP code execution and ultimately full site takeover. …
Remediation	Patch available per vendor advisory: upgrade the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin to a version newer than 1.1.4 as soon as CRM Perks publishes a fixed release, verifying the exact patched version against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cf7-insightly/vulnerability/wordpress-wp-insightly-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-plugin-1-1-4-php-object-injection-vulnerability and the plugin's WordPress.org page. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using WP Insightly plugin version 1.1.4 or earlier and disable the plugin immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2026-36880 vulnerability details – vuln.today

Back

WP Insightly EUVD-2026-36880

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code