How is CVE-2026-9691 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet without requiring any foothold on the host. Authentication (not-required): No account or session credentials are needed; the injection can be triggered by an unauthenticated HTTP request. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or administrator. Attack complexity (info): Exploitation is reliable and condition-free once a suitable PHP gadget chain is available in the WordPress environment, which is common given typical plugin ecosystems.

What is the impact of CVE-2026-9691?

An attacker who triggers a usable gadget chain reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. A successful injection can modify or delete database rows, including user accounts, post content, and plugin settings. Depending on available gadgets, the attacker executes arbitrary operating system commands on the host running the WordPress container. All three outcomes (disclosure, tampering, and service disruption) carry a CVSS impact score of High, making full compromise of the affected container a realistic outcome.

Back to search

CRITICALCVE-2026-9691Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-9691: WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-9691?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and trigger unintended code paths. This critical flaw affects the WordPress plugin "Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms" at version 1.1.1 and below, and is reachable over the network with no authentication required. Successful exploitation, combined with a suitable PHP gadget chain present in the environment, gives an attacker the ability to read, modify, or delete data and potentially execute arbitrary code on the host. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-9691 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and trigger unintended code paths. This critical flaw affects the WordPress plugin "Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms" at version 1.1.1 and below, and is reachable over the network with no authentication required. Successful exploitation, combined with a suitable PHP gadget chain present in the environment, gives an attacker the ability to read, modify, or delete data and potentially execute arbitrary code on the host. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-9691 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image containing the affected plugin at version 1.1.1 or below is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and applies per-environment compliance policy weighting to determine urgency and escalation path. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment CRM Perks ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet without requiring any foothold on the host.
AuthenticationNot required
No account or session credentials are needed; the injection can be triggered by an unauthenticated HTTP request.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free once a suitable PHP gadget chain is available in the WordPress environment, which is common given typical plugin ecosystems.

Blast Radius

An attacker who triggers a usable gadget chain reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
A successful injection can modify or delete database rows, including user accounts, post content, and plugin settings.
Depending on available gadgets, the attacker executes arbitrary operating system commands on the host running the WordPress container.
All three outcomes (disclosure, tampering, and service disruption) carry a CVSS impact score of High, making full compromise of the affected container a realistic outcome.

How HarborGuard Handles This

Available on HarborGuard: detection for this zero-day PHP Object Injection flaw is active and matched against all images containing the affected plugin at version 1.1.1 or below. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger patched-image rebuild and (for customers with auto-remediation enabled) a regression run plus PR the moment a fix version is published. In the interim, compensating controls available to consider include: placing the WordPress container behind a web application firewall rule that inspects and blocks serialized PHP payloads in request bodies and query strings; applying Kubernetes network policy to restrict inbound traffic to the pod to known trusted sources only; and disabling the ActiveCampaign integration feature flag at the application level if the functionality is not actively required. These measures reduce exposure but do not eliminate the vulnerability, so upgrading as soon as a patch is available remains the authoritative resolution.

See how HarborGuard automates this

Affected packages

CRM Perks / Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
≤ 1.1.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified