PHP Object Injection Vulnerability in WordPress Form Plugins
CVE-2026-12081
Currently unrated
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 13 July 2026
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-12081?
A vulnerability exists in multiple WordPress form plugins, allowing unauthenticated users to inject arbitrary PHP objects through unserialized form-field values. When an administrator views the stored entry, these injected objects can be instantiated, potentially leading to unauthorized actions or data exposure. This issue is a result of an incomplete fix for previous vulnerabilities where certain deserialization paths were left unaddressed.
Affected Version(s)
Database for Contact Form 7, WPforms, Elementor forms 0 < 1.5.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.