← back
CVE-2026-9691

WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability

CVSS 9.8 CRITICALEPSS 0.5%CWE-502
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
CRM Perks · Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
public PoCs found1
githubgithub.com/izxci/CVE-2026-96910
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://patchstack.com/database/wordpress/plugin/cf7-active-campaign/vulnerability/wordpress-integration-for-activecampaign-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-1-1-php-object-injection-vulnerability?_s_id=cve