External risk intelligence

Unauthenticated PHP Object Injection in Mailchimp and Contact Form 7 Integration <= 1.1.8

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49765

A critical unauthenticated PHP object injection vulnerability exists in a WordPress integration plugin. Attackers could inject malicious code, potentially compromising website confidentiality, integrity, and availability. Confirming the plugin's use is essential for assessing risk.

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-49765

The vulnerability exists in a WordPress plugin designed to integrate with contact forms and mail services. Such plugins are typically installed on public-facing websites to handle user-submitted data, making them accessible to internet traffic as part of the standard web application deployment.

PCI scan relevance

PCI Relevance for CVE-2026-49765

Yes

CVE-2026-49765 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is an unauthenticated PHP object injection, which is an automatic fail class for PCI ASV scans. It requires remediation before a passing attestation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a WordPress plugin used for integrating contact forms and email services. This issue could allow unauthorized attackers to inject malicious code remotely, potentially impacting the confidentiality, integrity, and availability of systems. The main concern is to confirm if this specific plugin is in use and assess potential exposure.

  • Unauthenticated code injection in form plugins.
  • Confirms relevance and exposure if this plugin is used.
  • Validate if the integration plugin is deployed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site that has the affected integration plugin installed. Since the vulnerability is unauthenticated, an attacker does not need to log in. This could allow them to inject malicious PHP objects, leading to unauthorized code execution and potentially full compromise of the website.

  • No authentication required.
  • Triggered by unauthenticated requests.
  • Leads to code execution and site compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious code when interacting with contact form integrations, potentially affecting website data and service behavior.

  • Website data and service behavior at risk.
  • Attacker sends specially crafted requests.
  • Leads to unauthorized actions or data compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated PHP object injection vulnerability affects a WordPress plugin used for integrating contact forms and mail services. The initial action involves identifying all instances of this plugin across your web presence, assessing their exposure and criticality, and locating the accountable owner for each. Remediation planning should then proceed based on these findings.

  • Application owners should own the issue.
  • Verify external reachability and business criticality.
  • Plan remediation based on assessed risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Integration for Mailchimp and Contact Form 7 plugin?

This is a WordPress plugin that bridges contact form builders—such as Ninja Forms, Elementor, and WPForms—with Mailchimp. It is used by site administrators to automatically sync form submissions and user contact information directly into email marketing lists, simplifying lead management and audience growth directly from the website interface.

What does PHP Object Injection mean in CVE-2026-49765?

This vulnerability, classified as CWE-502 (Deserialization of Untrusted Data), happens when the plugin incorrectly processes data from users. Because the software fails to sanitize this input, an attacker can supply a malicious PHP object that the server interprets as legitimate code, allowing them to manipulate the site's logic or execute unauthorized commands.

How is this vulnerability triggered by an attacker?

An attacker triggers this by sending a specifically crafted network request to the WordPress site. They do not need to provide credentials or log in to the system. Simply browsing the site normally or using legitimate contact forms will not trigger the flaw; it requires the deliberate submission of malicious data structures designed to exploit the plugin's data handling.

Is my website at risk from this CVE?

According to Halo Surface Signal, this plugin is typically installed on public-facing websites to handle user-submitted data, meaning it is accessible to internet traffic by design. If your site uses this integration, it is likely reachable from the internet, making it important to confirm if your specific version is 1.1.8 or older.

What steps should I take if I use this software?

Start by identifying every instance where this integration plugin is deployed across your web properties. Verify which versions are active and determine the business criticality of those sites. Once identified, consult the software vendor for available updates to address the underlying code flaw and coordinate with the application owners to apply the necessary security changes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished