Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7 and Related Plugins
CVE-2026-49085

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WP Insightly For Contact Form 7, WPforms, Elementor, Formidable And Ninja Forms
Vendor: CVE Published:; 15 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-49085?

The WP Insightly plugin for WordPress contains an unauthenticated PHP Object Injection vulnerability, affecting multiple versions of popular form plugins including Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms. This weakness allows attackers to potentially exploit the application's functionality, leading to unauthorized access and manipulation of data. To mitigate this risk, users should immediately review and update their installations to the latest versions that include the necessary security fixes.

Affected Version(s)

WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-49085
Created by izxci

References

https://patchstack.com/database/wordpress/plugin/cf7-insi...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 17, 2026
👾
Exploit known to exist
Jun 17, 2026
Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 27, 2026

Credit

Frissi0n | Patchstack Bug Bounty Program

CVE-2026-49085 Data

JSON