Skip to main content

WP Zendesk EUVD-2026-36882

| CVE-2026-49105 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-cr7j-78mh-rxpv
PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable PHP object injection in a WordPress plugin yields PR:N/UI:N/AV:N/AC:L; successful gadget-chain exploitation typically gives full code execution, justifying C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:34 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Articles & Coverage 1

News Critical PHP Object Injection in WP Zendesk Contact Form Plugin - CVE-2026-49105 Jun 16, 2026

AnalysisAI

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running CF7-Zendesk plugin ≤1.1.4
Delivery
Send HTTP request with serialized PHP payload
Exploit
Plugin unserializes attacker-controlled input
Install
Trigger POP gadget chain via magic methods
C2
Achieve arbitrary code execution as webserver user
Execute
Deploy webshell or create admin user
Impact
Exfiltrate data and persist access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reach to the WordPress site running the 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' plugin at version 1.1.4 or earlier; no authentication or user interaction is needed per CVSS PR:N/UI:N and the description's explicit 'Unauthenticated' qualifier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H aligns with the description's claim of unauthenticated exploitation and indicates a network-reachable, low-complexity issue with full CIA impact - the classic profile of a critical WordPress plugin RCE primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP request to a public endpoint exposed by the vulnerable plugin (for example, a form submission or AJAX handler that deserializes user-supplied data), embedding a serialized PHP object that triggers a POP gadget chain present in WordPress core or another installed plugin. The chain executes attacker-controlled code on the server, typically resulting in webshell deployment, admin user creation, or database exfiltration. …
Remediation No vendor-released patch identified at time of analysis; the Patchstack advisory only confirms that versions ≤ 1.1.4 are vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Deactivate and disable the WP Zendesk plugin across all WordPress installations; document any business-critical workflows dependent on it. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-36882 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy