How is CVE-2026-49085 exploited?

Network reachability (required): The vulnerable endpoint is reachable over the network; an attacker can send a crafted HTTP request to any WordPress site running the plugin without prior access to the host. Authentication (not-required): No account or session credential is needed; the injection point is reachable by any unauthenticated HTTP request. Victim interaction (not-required): The attacker does not need a site user to take any action; the exploit is triggered entirely by the attacker's own request. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are required.

What is the impact of CVE-2026-49085?

Reads arbitrary WordPress database content, including stored user credentials, session tokens, and private post data. Writes or modifies files and database rows on the server, enabling persistent backdoor installation or content tampering. Crashes or degrades the WordPress application, causing service disruption for site visitors. Achieves remote code execution by chaining PHP object gadgets present in the WordPress plugin ecosystem.

Back to search

CRITICALCVE-2026-49085Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49085: WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-49085?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing arbitrary objects to be instantiated and potentially chained into code execution. The WP Insightly plugin for WordPress (versions 1.1.4 and earlier) contains this flaw and exposes it over the network with no authentication required. Successful exploitation can give an attacker full read, write, and availability impact on the WordPress installation. No fix version has been published; HarborGuard is tracking the advisory and will surface a patched rebuild as soon as upstream ships one.

Q: Is CVE-2026-49085 patched?

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. Until then, HarborGuard flags all images containing affected versions of the plugin as unresolved Critical findings.

Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing arbitrary objects to be instantiated and potentially chained into code execution. The WP Insightly plugin for WordPress (versions 1.1.4 and earlier) contains this flaw and exposes it over the network with no authentication required. Successful exploitation can give an attacker full read, write, and availability impact on the WordPress installation. No fix version has been published; HarborGuard is tracking the advisory and will surface a patched rebuild as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-49085 is available across every HarborGuard environment. Images are matched against the ingested advisory within minutes of publication, including custom-built images that bundle this WordPress plugin.

Available

Triage

HarborGuard scores this CVE at 9.8 Critical (CVSS v3.1) and surfaces it with that severity weighting applied against each environment's compliance policy. Triage tickets are routable to the team or inbox configured for that severity tier within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. Until then, HarborGuard flags all images containing affected versions of the plugin as unresolved Critical findings.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is reachable over the network; an attacker can send a crafted HTTP request to any WordPress site running the plugin without prior access to the host.
AuthenticationNot required
No account or session credential is needed; the injection point is reachable by any unauthenticated HTTP request.
Victim interactionNot required
The attacker does not need a site user to take any action; the exploit is triggered entirely by the attacker's own request.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are required.

Blast Radius

Reads arbitrary WordPress database content, including stored user credentials, session tokens, and private post data.
Writes or modifies files and database rows on the server, enabling persistent backdoor installation or content tampering.
Crashes or degrades the WordPress application, causing service disruption for site visitors.
Achieves remote code execution by chaining PHP object gadgets present in the WordPress plugin ecosystem.

How HarborGuard Handles This

Available on HarborGuard: any container image that includes WP Insightly plugin version 1.1.4 or earlier is flagged immediately as a Critical finding upon scan, with CVSS 9.8 scoring applied and triage routing matching each environment's configured policy. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point. In the interim, compensating controls worth applying include network-policy rules that restrict direct HTTP access to WordPress deployments from untrusted sources, web-application firewall rules targeting PHP unserialization payloads, and disabling the plugin at the feature or configuration level until a patch is available.

See how HarborGuard automates this

Affected packages

CRM Perks / WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
≤ 1.1.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified