How is CVE-2026-49105 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to deliver a malicious payload. Authentication (not-required): No account or session credential is needed; the injection point is reachable by any unauthenticated visitor. Victim interaction (not-required): The attacker interacts directly with the server-side endpoint and does not need any action from a logged-in user or administrator. Attack complexity (info): Exploit reliability is high and no special preconditions are needed, though achieving full code execution may depend on the presence of a usable PHP gadget chain in the target installation.

What is the impact of CVE-2026-49105?

Reads arbitrary files and database contents accessible to the web server process, including WordPress credentials, API keys, and stored form data. Modifies or deletes files and database records, allowing an attacker to plant backdoors, alter site content, or destroy data. Executes arbitrary operating-system commands on the host if a suitable PHP gadget chain is available, giving the attacker full control of the container or server. Crashes or destabilizes the WordPress application by triggering destructors in the deserialized object graph, causing service disruption.

Back to search

CRITICALCVE-2026-49105Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49105: WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-49105?

PHP Object Injection is a critical vulnerability in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions up to and including 1.1.4). The flaw is reachable over the network with no authentication required, meaning any remote visitor can send a crafted payload to trigger deserialization of attacker-controlled PHP objects. Depending on what other code (gadget chains) is present in the WordPress installation, successful exploitation enables full remote code execution, arbitrary file manipulation, or data theft. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fix is released.

Q: Is CVE-2026-49105 patched?

No fix version has been published by the upstream vendor as of this writing. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a critical vulnerability in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions up to and including 1.1.4). The flaw is reachable over the network with no authentication required, meaning any remote visitor can send a crafted payload to trigger deserialization of attacker-controlled PHP objects. Depending on what other code (gadget chains) is present in the WordPress installation, successful exploitation enables full remote code execution, arbitrary file manipulation, or data theft. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-49105 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Images at any version up to and including 1.1.4 are flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it at the top of affected image queues. Per-environment compliance policy weighting is applied, and the finding is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by the upstream vendor as of this writing. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to deliver a malicious payload.
AuthenticationNot required
No account or session credential is needed; the injection point is reachable by any unauthenticated visitor.
Victim interactionNot required
The attacker interacts directly with the server-side endpoint and does not need any action from a logged-in user or administrator.
Attack complexityDetail
Exploit reliability is high and no special preconditions are needed, though achieving full code execution may depend on the presence of a usable PHP gadget chain in the target installation.

Blast Radius

Reads arbitrary files and database contents accessible to the web server process, including WordPress credentials, API keys, and stored form data.
Modifies or deletes files and database records, allowing an attacker to plant backdoors, alter site content, or destroy data.
Executes arbitrary operating-system commands on the host if a suitable PHP gadget chain is available, giving the attacker full control of the container or server.
Crashes or destabilizes the WordPress application by triggering destructors in the deserialized object graph, causing service disruption.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-49105 is flagged at CRITICAL severity and matched against every image in the ingest pipeline that bundles the WP Zendesk plugin at version 1.1.4 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will be triggered automatically at that point, with no manual steps required. While awaiting a fix, compensating controls available within HarborGuard policy enforcement include flagging any deployment of affected images as a policy violation, applying network-policy isolation to restrict public access to the WordPress endpoint, and gating CI pipeline promotion of images that include the vulnerable plugin version.

See how HarborGuard automates this

Affected packages

CRM Perks / WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
≤ 1.1.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified