External risk intelligence

Unauthenticated PHP Object Injection in Keap Infusionsoft Integration Plugin.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49104

A critical PHP Object Injection vulnerability exists in a WordPress integration plugin, potentially allowing unauthenticated attackers to inject malicious code, leading to system compromise and data manipulation. This issue is relevant for any organization using this plugin for contact forms and CRM integration, as it

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-49104

This vulnerability affects a WordPress plugin designed to integrate contact forms with CRM services. These plugins are typically installed on public-facing websites to capture user data, making the vulnerable code path reachable via the internet as part of normal web form functionality.

PCI scan relevance

PCI Relevance for CVE-2026-49104

Yes

CVE-2026-49104 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability allows unauthenticated PHP object injection in popular form plugins, posing a significant risk to web applications.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This CVE involves a critical security flaw in certain WordPress plugins that integrate with popular contact form builders and CRM systems. The vulnerability, an unauthenticated PHP Object Injection, could allow unauthorized access to manipulate data and take control of affected systems, posing a significant risk if these plugins are in use. The primary concern is to confirm if these specific plugins and versions are deployed within our environment.

  • Plugins let attackers inject malicious code.
  • It allows system takeover and data manipulation.
  • Verify plugin use and check for affected versions.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this vulnerability by sending specially crafted data through a website's integration feature, potentially reaching vulnerable code without needing any prior access or authentication. Successful exploitation could allow an attacker to inject malicious PHP objects, leading to significant compromise of the affected system.

  • No authentication or access required.
  • Triggered by unauthenticated user input.
  • Risk of remote code execution.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated PHP Object Injection in a WordPress integration plugin could allow an attacker to execute arbitrary code or impact the integrity and availability of the affected system when processing user-submitted form data. This could lead to a compromise of the WordPress site and its associated data.

  • Plugin data and system integrity.
  • Processing unauthenticated form submissions.
  • Unauthorized code execution and site compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects a WordPress plugin used for integrating contact forms with CRM services, implying that web or platform teams managing WordPress instances and application owners responsible for the integrated CRM functionality are likely involved. The first practical step is to identify all WordPress sites utilizing this plugin, confirm their external reachability, and assess the business criticality of the affected forms to prioritize remediation efforts, which may involve coordination with the vendor.

  • Application and platform teams own remediation.
  • Verify affected WordPress site exposure.
  • Plan maintenance or vendor coordination.

Frequently asked questions

What is the WordPress integration for Keap/Infusionsoft plugin?

This software is a bridge that connects WordPress contact forms—such as Contact Form 7, WPForms, and others—to the Keap/Infusionsoft CRM. It allows website owners to automatically send form submissions directly into their CRM database. Because it handles incoming visitor data, it is a critical component for lead generation and automated customer management workflows on WordPress-based websites.

How does CVE-2026-49104 create a security risk?

This vulnerability is classified as CWE-502, or PHP Object Injection. It occurs when a plugin improperly handles serialized data provided by a user. Instead of safely processing the input, the software allows an attacker to inject malicious PHP objects. This can cause the application to perform unintended actions, potentially giving an attacker the ability to execute code or take control of the affected WordPress site.

Do I need to be logged in for an attacker to trigger this bug?

No. This vulnerability can be triggered by an unauthenticated user. This means an attacker does not need a valid account or special privileges on your website to send the malicious request. It is not triggered by normal administrative activity, but rather by sending specifically crafted data through the public-facing contact forms that the plugin manages.

Is my website at risk if it uses this plugin?

According to Halo Surface Signal, this software is typically installed on public-facing websites to capture user data, making the vulnerable code path reachable over the internet. If your site uses an affected version, it is accessible to anyone who can visit your form. Websites that are strictly internal or have restricted network access face different risk profiles, but public sites are at the highest level of concern.

When should I take action for CVE-2026-49104?

You should prioritize this immediately. The first step is to perform an inventory of all your WordPress instances to identify where this specific integration plugin is installed and running version 1.2.1 or lower. Once you have identified the affected sites, coordinate with your web or platform teams to plan for updates or disabling the integration until a secure vendor version is confirmed and deployed.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished