Unauthenticated PHP Object Injection in WP Zendesk and Other Forms by WordPress
CVE-2026-49105

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WP Zendesk For Contact Form 7, WPforms, Elementor, Formidable And Ninja Forms
Vendor: CVE Published:; 15 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-49105?

This vulnerability allows unauthenticated attackers to exploit PHP object injection flaws in the WP Zendesk for Contact Form 7 and other associated WordPress plugins such as WPForms, Elementor, Formidable, and Ninja Forms. Versions up to 1.1.4 are impacted, permitting malicious users to potentially manipulate application behavior and gain unauthorized access to sensitive data or system functions.

Affected Version(s)

WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-49105
Created by izxci

References

https://patchstack.com/database/wordpress/plugin/cf7-zend...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 17, 2026
👾
Exploit known to exist
Jun 17, 2026
Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 27, 2026

Credit

Frissi0n | Patchstack Bug Bounty Program

CVE-2026-49105 Data

JSON