PatchSiren cyber security CVE debrief
CVE-2026-9691 CRM Perks CVE debrief
CVE-2026-9691 is a critical vulnerability with a CVSS score of 9.8. The vulnerability is an unauthenticated PHP object injection in the Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin versions <= 1.1.1. The vulnerability was published on [cve-org] and additional details can be found on [nvd].
- Vendor
- CRM Perks
- Product
- Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress sites using the Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin versions <= 1.1.1 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by an unauthenticated PHP object injection in the Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin versions <= 1.1.1. This could allow an attacker to inject malicious PHP objects, potentially leading to arbitrary code execution.
Defensive priority
high
Recommended defensive actions
- Update the Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin to a version greater than 1.1.1.
- Review and restrict access to sensitive areas of the WordPress site.
- Monitor the site for suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack and has been documented in the NVD database.
Official resources
-
CVE-2026-9691 CVE record
CVE.org
-
CVE-2026-9691 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-9691 was published on 2026-06-15T21:17:25.997Z and modified on 2026-06-15T21:24:32.790Z.