← back
CVE-2026-49105

WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability

CVSS 9.8 CRITICALEPSS 0.5%CWE-502
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
CRM Perks · WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
public PoCs found1
githubgithub.com/izxci/CVE-2026-491050
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://patchstack.com/database/wordpress/plugin/cf7-zendesk/vulnerability/wordpress-wp-zendesk-for-contact-form-7-wpforms-elementor-formidable-and-ninja-forms-plugin-1-1-4-php-object-injection-vulnerability?_s_id=cve