Skip to main content

Integration for Keap/Infusionsoft EUVD-2026-36881

| CVE-2026-49104 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-8cgq-qh5g-cj52
PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated PHP object injection reachable over HTTP with no user interaction; deserialization gadget chains typically yield full RCE, justifying H across CIA.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:35 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.

Articles & Coverage 1

News Critical PHP Object Injection in WordPress Keap/Infusionsoft Integration Plugin - CVE-2026-49104 Jun 16, 2026

AnalysisAI

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Fingerprint WordPress site running cf7-infusionsoft plugin
Delivery
Craft serialized PHP object with POP gadget chain
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Install
Trigger unserialize() on attacker payload
C2
Gadget chain executes arbitrary PHP
Execute
Drop webshell and persist
Impact
Full site and database compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of the Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms WordPress plugin at version 1.2.1 or earlier, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a textbook critical-severity flaw: remotely reachable, low complexity, no authentication, no user interaction, with high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running the vulnerable plugin (often via wp-content/plugins/cf7-infusionsoft path fingerprinting) and submits a crafted HTTP request containing a serialized PHP object to a plugin endpoint that calls unserialize() on attacker-controlled input. Using a POP gadget chain sourced from WordPress core or another installed plugin (e.g., via PHPGGC's WordPress chains), the deserialization is escalated to arbitrary file write or command execution, allowing the attacker to drop a webshell and take over the site. …
Remediation Upstream fix available per the Patchstack advisory; released patched version is not explicitly stated in the provided data, so administrators should upgrade to the latest available release of the cf7-infusionsoft plugin (any version greater than 1.2.1) as published in the WordPress plugin directory and verify the installed version via the WordPress admin dashboard. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances and identify those running the affected plugin at version 1.2.1 or earlier; immediately disable the plugin on all affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49106 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versio

Share

EUVD-2026-36881 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy