How is CVE-2026-49768 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site. Authentication (not-required): No account or session credential of any kind is needed to trigger the injection. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-49768?

A successful attacker can read any data accessible to the web process, including WordPress database credentials, stored user records, and session tokens. The attacker can write or modify files and database rows, enabling backdoor installation, content defacement, or privilege escalation within WordPress. The attacker can crash or hang the web service process, taking the WordPress site offline. Because PHP Object Injection can chain existing class constructors (POP chains), the practical outcome is arbitrary code execution on the host running the plugin.

Back to search

CRITICALCVE-2026-49768Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49768: WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability

Q: What is CVE-2026-49768?

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Happyforms WordPress plugin at version 1.26.13 and below. The flaw is reachable over the network with no login required and no user interaction, meaning any internet-facing WordPress site with the plugin installed is exposed. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected site. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-49768 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention as soon as the fix becomes available.

Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Happyforms WordPress plugin at version 1.26.13 and below. The flaw is reachable over the network with no login required and no user interaction, meaning any internet-facing WordPress site with the plugin installed is exposed. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected site. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Patchstack advisory feed) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Happyforms plugin. Any image containing Happyforms at or below version 1.26.13 is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), and per-environment compliance policy weighting can escalate or suppress routing based on each customer org's risk thresholds. Findings are routed to the appropriate team inbox within each customer organization according to their configured policy.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a remediated release. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention as soon as the fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
AuthenticationNot required
No account or session credential of any kind is needed to trigger the injection.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

A successful attacker can read any data accessible to the web process, including WordPress database credentials, stored user records, and session tokens.
The attacker can write or modify files and database rows, enabling backdoor installation, content defacement, or privilege escalation within WordPress.
The attacker can crash or hang the web service process, taking the WordPress site offline.
Because PHP Object Injection can chain existing class constructors (POP chains), the practical outcome is arbitrary code execution on the host running the plugin.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49768 as of the publication date, HarborGuard continuously monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment Happyforms ships a fixed release. In the interim, recommended compensating controls include isolating affected WordPress containers behind a web application firewall rule that blocks serialized PHP payloads in user-supplied input, applying network-policy rules to restrict outbound connections from the WordPress container to limit post-exploitation lateral movement, and disabling or removing the Happyforms plugin entirely in images where the form functionality is not required. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without manual steps as soon as a fix version is published.

See how HarborGuard automates this

Affected packages

Happyforms / Happyforms
≤ 1.26.13

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified