Integration For Contact Form 7 And Constant Contact
Monthly
Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.
Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.