How is CVE-2026-49109 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to trigger the injection. Authentication (not-required): No account, session token, or credentials of any kind are needed; the injection can be triggered by any unauthenticated HTTP request. Victim interaction (not-required): The attack is fully automated and server-side; no administrator or user action is required to trigger the vulnerability. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no race conditions, special timing, or specific environmental configuration beyond reaching the service.

What is the impact of CVE-2026-49109?

Reads arbitrary data from the WordPress database and filesystem, including stored credentials, API keys, and Salesforce integration tokens. Modifies or deletes WordPress database records and filesystem content, including posts, user accounts, and plugin configuration. Crashes or degrades the affected WordPress service, causing denial of availability to legitimate users. Depending on available PHP deserialization gadget chains present in the environment, the attacker may achieve arbitrary code execution on the underlying server.

Back to search

CRITICALCVE-2026-49109Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49109: WordPress Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin <= 1.4.3 - PHP Object Injection vulnerability

Q: What is CVE-2026-49109?

PHP Object Injection vulnerability affects the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms WordPress plugin (versions up to and including 1.4.3). The vulnerability is reachable over the network with no authentication required and no user interaction needed, based on the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full read, write, and availability impact against the affected service. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as a fix is released.

Q: Is CVE-2026-49109 patched?

Because no fix version has been published for this CVE, HarborGuard re-evaluates the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the vendor. In the interim, customers with network-policy controls or compensating-control configurations can apply those through HarborGuard's remediation workflow without waiting for an upstream patch.

Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection vulnerability affects the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms WordPress plugin (versions up to and including 1.4.3). The vulnerability is reachable over the network with no authentication required and no user interaction needed, based on the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker full read, write, and availability impact against the affected service. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49109 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy to determine breach-of-threshold status. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-evaluates the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the vendor. In the interim, customers with network-policy controls or compensating-control configurations can apply those through HarborGuard's remediation workflow without waiting for an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to trigger the injection.
AuthenticationNot required
No account, session token, or credentials of any kind are needed; the injection can be triggered by any unauthenticated HTTP request.
Victim interactionNot required
The attack is fully automated and server-side; no administrator or user action is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no race conditions, special timing, or specific environmental configuration beyond reaching the service.

Blast Radius

Reads arbitrary data from the WordPress database and filesystem, including stored credentials, API keys, and Salesforce integration tokens.
Modifies or deletes WordPress database records and filesystem content, including posts, user accounts, and plugin configuration.
Crashes or degrades the affected WordPress service, causing denial of availability to legitimate users.
Depending on available PHP deserialization gadget chains present in the environment, the attacker may achieve arbitrary code execution on the underlying server.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-49109 as of the publication date, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads with no manual steps required. While no patch exists, HarborGuard surfaces this CVE as a Critical finding in every affected image scan and supports compensating controls: network policy isolation to restrict inbound HTTP access to affected containers, egress filtering to limit outbound Salesforce API calls from compromised instances, and feature-flag or plugin-disable recommendations documented in the finding detail. Customers are encouraged to review whether the plugin is strictly necessary in running images and to disable it where it is not, reducing attack surface until an upstream fix is available.

See how HarborGuard automates this

Affected packages

crm perks / Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
≤ 1.4.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified