top of page
perceptive_background_267k.jpg

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7…

Published:

4 March 2026 at 23:00:00

Alert date:

5 March 2026 at 20:09:02

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress contains a PHP Object Injection vulnerability in versions up to 1.4.7. The vulnerability exists in the 'download_csv' function due to deserialization of untrusted input. Unauthenticated attackers can inject PHP objects, but the vulnerability has no direct impact unless a POP chain is present via another plugin or theme. If a POP chain exists, attackers could potentially delete files, retrieve sensitive data, or execute code.

Technical details

Mitigation steps:

Affected products:

Database for Contact Form 7
WPforms
Elementor forms plugin
WordPress

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-2599
https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L2972
https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L3016
https://plugins.trac.wordpress.org/changeset/3474882/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a116f28-a560-4b54-9cd1-f1dd9ac3238d?source=cve

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page