PatchSiren cyber security CVE debrief
CVE-2026-49085 CRM Perks CVE debrief
A critical vulnerability (CVSS Score: 9.8) was published on June 15, 2026, affecting WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin versions <= 1.1.4. This vulnerability allows unauthenticated PHP Object Injection.
- Vendor
- CRM Perks
- Product
- WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites utilizing the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin versions <= 1.1.4 should prioritize patching this vulnerability to prevent potential exploitation.
Technical summary
The vulnerability, identified as CWE-502, allows for unauthenticated PHP Object Injection. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
critical
Recommended defensive actions
- Patch or upgrade WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin to a version greater than 1.1.4.
- Review and restrict access to sensitive areas of the WordPress site if possible.
Evidence notes
Evidence suggests that this vulnerability was discovered and reported by Patchstack (reference_domain_candidate).
Official resources
-
CVE-2026-49085 CVE record
CVE.org
-
CVE-2026-49085 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49085 was published on June 15, 2026, and last modified on June 15, 2026.