Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms
Monthly
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.
The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.
Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.
The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.