How is CVE-2026-49763 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach and trigger it from any internet-accessible host without any special network position. Authentication (not-required): No account or credentials of any privilege level are needed; the injection point is reachable by any unauthenticated request. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit is sent directly to the server. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

What is the impact of CVE-2026-49763?

A successful attacker can execute arbitrary PHP code on the server, gaining full control of the WordPress application and its underlying host process. The attacker can read all data stored by the application, including contact form submissions, HubSpot API credentials, and WordPress database credentials. The attacker can modify or delete stored data, including posts, user accounts, plugin configurations, and any records accessible to the web process. The attacker can crash or render the affected service unavailable by corrupting application state or exhausting server resources.

Back to search

CRITICALCVE-2026-49763Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49763: WordPress Integration for Contact Form 7 HubSpot plugin <= 1.3.7 - PHP Object Injection vulnerability

Q: What is CVE-2026-49763?

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Integration for Contact Form 7 HubSpot WordPress plugin at version 1.3.7 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-49763 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Integration for Contact Form 7 HubSpot WordPress plugin at version 1.3.7 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-49763 is available across every HarborGuard environment: the CVE is ingested from Patchstack and upstream feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying the Integration for Contact Form 7 HubSpot plugin at version 1.3.7 or earlier is flagged automatically.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.8 (Critical), weighted against each customer environment's own compliance policy to set urgency and priority. Findings are routed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach and trigger it from any internet-accessible host without any special network position.
AuthenticationNot required
No account or credentials of any privilege level are needed; the injection point is reachable by any unauthenticated request.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is sent directly to the server.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

Blast Radius

A successful attacker can execute arbitrary PHP code on the server, gaining full control of the WordPress application and its underlying host process.
The attacker can read all data stored by the application, including contact form submissions, HubSpot API credentials, and WordPress database credentials.
The attacker can modify or delete stored data, including posts, user accounts, plugin configurations, and any records accessible to the web process.
The attacker can crash or render the affected service unavailable by corrupting application state or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-49763 at this time, HarborGuard monitors the Patchstack advisory and all upstream feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks publishes a remediated version. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression run and a PR opened against affected workloads. While no patch is available, compensating controls worth considering include network-policy rules that restrict inbound traffic to WordPress deployments from untrusted sources, egress filtering to limit what a compromised container can reach, and feature-flag or plugin-disable mechanisms to turn off the Contact Form 7 HubSpot integration on any instance where it is not actively required. The 9.8 Critical CVSS score means this CVE is eligible for expedited routing under most HarborGuard compliance policy configurations.

See how HarborGuard automates this

Affected packages

CRM Perks / Integration for Contact Form 7 HubSpot
≤ 1.3.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified