External risk intelligence

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7 and other form plugins <= 1.1.4

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49105

An unauthenticated PHP object injection vulnerability exists in multiple WordPress form plugins. This could allow attackers to execute arbitrary code on a server, potentially compromising confidentiality, integrity, and availability. Confirm if your organization uses these plugins to understand potential exposure and i

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-49105

This vulnerability affects a WordPress plugin designed to handle contact forms and customer service integrations. Such plugins are typically embedded directly into public-facing web pages and contact forms, making them frequently exposed to the internet as part of the normal operation of a website's contact or support interface.

PCI scan relevance

PCI Relevance for CVE-2026-49105

Yes

CVE-2026-49105 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE is PCI scan-relevant due to an unauthenticated PHP Object Injection vulnerability in popular WordPress form plugins, which can lead to remote code execution and compromise system integrity.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves unauthenticated PHP object injection in several popular WordPress form plugins. It means an attacker could potentially exploit this weakness to compromise the affected systems without needing any credentials. The primary concern is confirming if your organization uses these specific plugins and, if so, understanding their exposure and the potential impact.

  • Insecure code allows unauthorized system control.
  • Widely used plugins increase potential attack surface.
  • Confirm relevance; understand potential impact.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can send specially crafted requests to a website using the affected plugin. This could lead to the execution of arbitrary code on the server, granting the attacker control over the compromised system.

  • No login required.
  • Triggered by data injection.
  • Full server compromise risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact the confidentiality, integrity, and availability of systems running the affected WordPress plugins. When exposed to the internet, unauthenticated users could potentially exploit this flaw, leading to severe consequences for the targeted website and its users.

  • System and user data could be compromised.
  • Malicious code may be injected via unauthenticated requests.
  • Service disruption and data manipulation may occur.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts WordPress plugins used for contact forms and customer service integrations, which are often publicly accessible. Ownership likely falls to the website's application or platform team, in coordination with the security and vendor management teams. The first practical step is to identify all instances of the affected plugins, assess their exposure and business criticality, and then prioritize remediation.

  • Application owners should manage the remediation.
  • Verify plugin presence and reachability.
  • Plan coordinated updates or vendor engagement.

Frequently asked questions

What is WP Zendesk for Contact Form 7 and related plugins?

This is a WordPress plugin integration designed to bridge contact form data from popular builders like WPForms, Elementor, Formidable, and Ninja Forms directly into Zendesk. It is used by website administrators to automate customer support workflows by turning form submissions into support tickets.

What does PHP Object Injection mean for CVE-2026-49105?

This vulnerability falls under the CWE-502 weakness class, which refers to deserialization of untrusted data. In plain terms, the plugin incorrectly processes incoming data, allowing an attacker to inject malicious objects into the application's memory. This can trick the server into executing unauthorized commands, effectively letting an attacker gain control over the system.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a specially crafted, malicious network request to a site running the affected plugin versions. No administrative login or user credentials are required to initiate the attack. Crucially, simply viewing the form or browsing the site does not trigger the bug; the attacker must deliberately send data that exploits the insecure deserialization process.

Is my website at risk from this CVE?

According to Halo Surface Signal, this risk is categorized as likely because these plugins are embedded in public-facing contact forms by design. Because the feature must be reachable to accept user inquiries, it is almost always exposed to the internet, making it a potential entry point for unauthenticated actors.

What should I do if I use this plugin?

Your first step is to create an inventory of all sites where this plugin is installed to determine which systems are affected. Once identified, evaluate the criticality of those sites and monitor for vendor-provided updates. If a patch is not immediately available, consider disabling or removing the plugin as a proactive measure to secure your environment.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished