Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7 by WordPress
CVE-2026-49765

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Integration For Mailchimp And Contact Form 7, WPforms, Elementor, Ninja Forms
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49765?

An unauthenticated PHP Object Injection vulnerability exists in the Integration for Mailchimp and Contact Form 7, impacting versions of WPForms, Elementor, and Ninja Forms. This flaw allows attackers to craft specific requests that could lead to malicious code execution in the context of the affected plugins. As a result, unauthorized users may exploit this vulnerability to compromise the integrity and security of the web applications utilizing these plugins.

Affected Version(s)

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8

References

https://patchstack.com/database/wordpress/plugin/cf7-mail...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Frissi0n | Patchstack Bug Bounty Program

CVE-2026-49765 Data

JSON