PatchSiren cyber security CVE debrief
CVE-2026-49104 CRM Perks CVE debrief
CVE-2026-49104 is a critical vulnerability in the Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin versions <= 1.2.1. The vulnerability allows unauthenticated PHP object injection, with a CVSS score of 9.8 and a severity of CRITICAL.
- Vendor
- CRM Perks
- Product
- Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress plugins Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms versions <= 1.2.1 should update to a patched version immediately.
Technical summary
The vulnerability is caused by a lack of proper input validation and sanitization, allowing an attacker to inject malicious PHP objects. This can lead to arbitrary code execution, data breaches, and other malicious activities.
Defensive priority
HIGH
Recommended defensive actions
- Update the Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin to a version greater than 1.2.1.
- Review and monitor your WordPress installation for any suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack and is documented in the CVE record.
Official resources
-
CVE-2026-49104 CVE record
CVE.org
-
CVE-2026-49104 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49104 was published on 2026-06-15T21:17:20.400Z and modified on 2026-06-15T21:24:32.790Z.