Skip to main content

Integration for Contact Form 7 HubSpot EUVD-2026-36887

| CVE-2026-49763 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-6f45-2725-f94r
PHP Deserialization Integration For Contact Form 7 Hubspot
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable form submission triggers unserialize() with no user interaction; successful POP chain yields full code execution, hence C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:31 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running plugin <=1.3.7
Delivery
Craft serialized PHP payload with POP gadget
Exploit
Submit via Contact Form 7 HubSpot endpoint
Install
Plugin calls unserialize() on input
C2
Magic methods fire gadget chain
Execute
Achieve RCE or arbitrary file write
Impact
Full site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to a WordPress site running the Integration for Contact Form 7 HubSpot plugin at version <= 1.3.7 with a Contact Form 7 form exposing the HubSpot integration handler - no authentication, no user interaction, and no special configuration beyond having the plugin active (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signals a network-reachable, low-complexity, unauthenticated bug with full CIA impact - a textbook critical issue (9.8). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted Contact Form 7 entry whose plugin-handled HubSpot integration parameter contains a serialized PHP object payload referencing a POP gadget chain in WordPress core or another installed plugin. When the plugin calls unserialize() on the attacker input, the gadget chain fires during object lifecycle methods, leading to arbitrary file write or PHP code execution under the web server account, resulting in full WordPress site takeover.
Remediation Upstream fix availability is not independently confirmed from the provided input; administrators should upgrade the plugin to the latest version above 1.3.7 as published by CRM Perks and tracked at https://patchstack.com/database/wordpress/plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-3-7-php-object-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Contact Form 7 HubSpot plugin version ≤1.3.7 through automated vulnerability scanning or manual plugin audits. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-36887 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy