How is CVE-2026-49765 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach and trigger it from the internet without any foothold on the host. Authentication (not-required): No account or session credential of any kind is needed; the injection point is accessible to anonymous HTTP requests. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or site administrator. Attack complexity (info): Exploit reliability is high and no special environmental conditions, race conditions, or configuration variations are required to trigger the vulnerability.

What is the impact of CVE-2026-49765?

Reads arbitrary files and database contents from the WordPress installation, including stored credentials, API keys, and customer records. Writes or modifies files on the server, enabling persistent backdoor placement or defacement of site content. Crashes or destabilizes the WordPress application or underlying PHP process, causing service disruption for site visitors. Chains deserialized object gadgets into remote code execution, giving the attacker full operating-system-level command execution on the container or host.

Back to search

CRITICALCVE-2026-49765Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49765: WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.8 - PHP Object Injection vulnerability

Q: What is CVE-2026-49765?

PHP Object Injection is a vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into code execution or other destructive actions. This affects the WordPress plugin "Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms" at version 1.1.8 and below, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, which in practice means remote code execution, data theft, or complete site takeover are all on the table. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment one is released.

Q: Is CVE-2026-49765 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. In the interim, customers with network-isolation or egress-filtering policies can apply those compensating controls through HarborGuard's policy engine to reduce exposure.

Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into code execution or other destructive actions. This affects the WordPress plugin "Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms" at version 1.1.8 and below, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the host, which in practice means remote code execution, data theft, or complete site takeover are all on the table. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49765 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing; alerts are directed to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. In the interim, customers with network-isolation or egress-filtering policies can apply those compensating controls through HarborGuard's policy engine to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach and trigger it from the internet without any foothold on the host.
AuthenticationNot required
No account or session credential of any kind is needed; the injection point is accessible to anonymous HTTP requests.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or site administrator.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions, race conditions, or configuration variations are required to trigger the vulnerability.

Blast Radius

Reads arbitrary files and database contents from the WordPress installation, including stored credentials, API keys, and customer records.
Writes or modifies files on the server, enabling persistent backdoor placement or defacement of site content.
Crashes or destabilizes the WordPress application or underlying PHP process, causing service disruption for site visitors.
Chains deserialized object gadgets into remote code execution, giving the attacker full operating-system-level command execution on the container or host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49765 as of the publication date, HarborGuard continuously re-checks the Patchstack advisory and NVD feeds on every ingest cycle. The moment CRM Perks publishes a fix, a patched-image rebuild at the corrected version becomes available, and customers with auto-remediation enabled will receive a rebuild, an automated regression test run, and a pull request opened against affected workloads automatically. While the vulnerability is unpatched, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict inbound traffic to the WordPress service, egress filtering to limit outbound connections from the container, and flagging any image containing this plugin version for immediate human review. For environments with strict compliance policies requiring human sign-off before remediation, HarborGuard queues the rebuild and holds it pending approval rather than merging automatically.

See how HarborGuard automates this

Affected packages

CRM Perks / Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
≤ 1.1.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified