PatchSiren cyber security CVE debrief
CVE-2026-49105 CRM Perks CVE debrief
CVE-2026-49105 is a critical vulnerability in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin. The vulnerability is caused by an unauthenticated PHP object injection, which allows attackers to inject malicious PHP objects into the application. This can lead to arbitrary code execution, data breaches, and other security issues. The vulnerability has a CVSS score of 9.8, indicating a high severity level.
- Vendor
- CRM Perks
- Product
- WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites using the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin versions <= 1.1.4 should be aware of this vulnerability and take immediate action to mitigate it.
Technical summary
The vulnerability is caused by an unauthenticated PHP object injection in the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin versions <= 1.1.4. This allows attackers to inject malicious PHP objects into the application, potentially leading to arbitrary code execution.
Defensive priority
high
Recommended defensive actions
- Update the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin to a version greater than 1.1.4.
- Monitor your WordPress site for suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack and has been documented in the NVD database.
Official resources
-
CVE-2026-49105 CVE record
CVE.org
-
CVE-2026-49105 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49105 was published on 2026-06-15T21:17:20.517Z and modified on 2026-06-15T21:24:32.790Z.