How is CVE-2026-49104 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location. Authentication (not-required): No account or session token is needed; the injection can be triggered by an anonymous, unauthenticated HTTP request. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user needs to click a link or take any action. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special preconditions such as race conditions or knowledge of environment-specific values.

What is the impact of CVE-2026-49104?

A successful attacker can read arbitrary files and data accessible to the web server process, including WordPress database credentials and stored customer records. The attacker can write or modify files on the server, enabling persistent backdoors or defacement of site content. PHP object injection chains (POP chains) present in the WordPress environment can be leveraged to achieve remote code execution on the host. The attacker can crash or disrupt the WordPress service, causing denial of availability for the site and any integrated Keap/Infusionsoft form workflows.

Back to search

CRITICALCVE-2026-49104Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49104: WordPress Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.2.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-49104?

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and potentially chain them into code execution. The affected product is the WordPress plugin "Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms" by CRM Perks, versions up to and including 1.2.1. This vulnerability is reachable over the network with no authentication required and no user interaction needed, and successful exploitation gives an attacker full read, write, and availability impact on the affected host. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-49104 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. In the interim, customers with compensating-control policies can apply network-level isolation or web application firewall rules to restrict access to the vulnerable deserialization surface while awaiting an upstream patch.

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and potentially chain them into code execution. The affected product is the WordPress plugin "Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms" by CRM Perks, versions up to and including 1.2.1. This vulnerability is reachable over the network with no authentication required and no user interaction needed, and successful exploitation gives an attacker full read, write, and availability impact on the affected host. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49104 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.8 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. In the interim, customers with compensating-control policies can apply network-level isolation or web application firewall rules to restrict access to the vulnerable deserialization surface while awaiting an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected location.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an anonymous, unauthenticated HTTP request.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user needs to click a link or take any action.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special preconditions such as race conditions or knowledge of environment-specific values.

Blast Radius

A successful attacker can read arbitrary files and data accessible to the web server process, including WordPress database credentials and stored customer records.
The attacker can write or modify files on the server, enabling persistent backdoors or defacement of site content.
PHP object injection chains (POP chains) present in the WordPress environment can be leveraged to achieve remote code execution on the host.
The attacker can crash or disrupt the WordPress service, causing denial of availability for the site and any integrated Keap/Infusionsoft form workflows.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-49104 at this time, the platform monitors the Patchstack advisory and vendor release channels on every ingest cycle. The moment CRM Perks publishes a patched version, a rebuild at that version becomes available; for customers with auto-remediation enabled, that triggers an automated image rebuild, a regression-test run, and a pull request opened against affected workloads (median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled, once an upstream fix is available). While no patch exists, customers can apply compensating controls: network-policy rules that restrict public access to WordPress form endpoints, web application firewall rules that block serialized PHP payloads in request bodies, and egress filtering to limit what the web server process can reach if code execution does occur. Where compliance policy permits, HarborGuard can flag any image containing plugin versions up to and including 1.2.1 as blocked from promotion to production until the advisory is resolved.

See how HarborGuard automates this

Affected packages

CRM Perks / Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
≤ 1.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified