How is CVE-2026-49106 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without requiring internal access. Authentication (not-required): No account or session credential of any privilege level is needed to trigger the unsafe deserialization call. Victim interaction (not-required): The attack is fully server-side; no user needs to click a link, open a file, or take any other action for exploitation to succeed. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no race condition, special memory layout, or other environmental precondition beyond the plugin being installed and active.

What is the impact of CVE-2026-49106?

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. Writes or modifies files on the server, enabling an attacker to plant a web shell or alter plugin and theme code. Executes arbitrary operating system commands if a suitable PHP gadget chain exists in the installed dependencies, giving full server-level control. Crashes or degrades the WordPress site by corrupting application state or consuming server resources.

Back to search

CRITICALCVE-2026-49106Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49106: WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability

Q: What is CVE-2026-49106?

PHP Object Injection is a vulnerability class where attacker-controlled data is passed to PHP's unserialize() function, allowing an attacker to instantiate arbitrary objects and potentially chain them into dangerous operations. The Integration for Contact Form 7 and Constant Contact WordPress plugin, version 1.1.6 and earlier, is affected and is reachable over the network with no authentication or user interaction required. Successful exploitation gives the attacker full read, write, and availability impact on the host, which in practice means remote code execution, data theft, or complete service disruption depending on what PHP classes are available in the runtime environment. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-49106 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. In the interim, customers with compensating-control policies enabled can receive recommended network-layer isolation configurations surfaced through the HarborGuard policy engine.

Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability class where attacker-controlled data is passed to PHP's unserialize() function, allowing an attacker to instantiate arbitrary objects and potentially chain them into dangerous operations. The Integration for Contact Form 7 and Constant Contact WordPress plugin, version 1.1.6 and earlier, is affected and is reachable over the network with no authentication or user interaction required. Successful exploitation gives the attacker full read, write, and availability impact on the host, which in practice means remote code execution, data theft, or complete service disruption depending on what PHP classes are available in the runtime environment. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49106 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle this WordPress plugin, not only images pulled directly from public registries.

Available

Triage

HarborGuard triage capability for this CVE applies the CVSS 3.1 score of 9.8 (Critical) as a baseline, then weights the finding against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer organization based on the affected workload's classification and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. In the interim, customers with compensating-control policies enabled can receive recommended network-layer isolation configurations surfaced through the HarborGuard policy engine.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without requiring internal access.
AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the unsafe deserialization call.
Victim interactionNot required
The attack is fully server-side; no user needs to click a link, open a file, or take any other action for exploitation to succeed.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no race condition, special memory layout, or other environmental precondition beyond the plugin being installed and active.

Blast Radius

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
Writes or modifies files on the server, enabling an attacker to plant a web shell or alter plugin and theme code.
Executes arbitrary operating system commands if a suitable PHP gadget chain exists in the installed dependencies, giving full server-level control.
Crashes or degrades the WordPress site by corrupting application state or consuming server resources.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49106 as of the publication date, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild for affected environments the moment CRM Perks publishes a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues once an upstream fix is available. While no fix exists, customers can use HarborGuard's policy engine to apply compensating controls: network-policy isolation to restrict external access to the WordPress service, egress filtering to limit outbound connections from the container, and feature-flag or plugin-deactivation recommendations surfaced as policy findings. Customers whose compliance policy flags zero-day Critical CVEs for immediate escalation will have this finding routed accordingly.

See how HarborGuard automates this

Affected packages

CRM Perks / Integration for Contact Form 7 and Constant Contact
≤ 1.1.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified