PatchSiren cyber security CVE debrief
CVE-2026-49109 crm perks CVE debrief
CVE-2026-49109 is a critical vulnerability in the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin versions <= 1.4.3. The vulnerability is caused by an unauthenticated PHP object injection, which can allow attackers to execute arbitrary code on the affected system. The vulnerability has a CVSS score of 9.8 and is considered critical.
- Vendor
- crm perks
- Product
- Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites using the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin versions <= 1.4.3 should be aware of this vulnerability and take immediate action to update to a patched version.
Technical summary
The vulnerability is caused by an unauthenticated PHP object injection in the Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin versions <= 1.4.3. This can allow attackers to execute arbitrary code on the affected system.
Defensive priority
high
Recommended defensive actions
- Update to a patched version of the plugin (version > 1.4.3) as soon as possible.
- Review and monitor your WordPress site for any suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack and has been confirmed by the CVE.org and NVD.
Official resources
-
CVE-2026-49109 CVE record
CVE.org
-
CVE-2026-49109 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49109 was published on 2026-06-15T21:17:20.750Z and modified on 2026-06-15T21:24:32.790Z.