CVE-2026-2599 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress - PHP Object Injection
Overview
Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress <= 1.4.7 contains a PHP Object Injection caused by deserialization of untrusted input in the 'download_csv' function, letting unauthenticated attackers inject PHP objects, exploit requires presence of a POP chain in other installed plugins or themes.
Severity & Score
Impact
Attackers can delete files, retrieve sensitive data, or execute code if a POP chain is present in other plugins or themes.
Mitigation
Update to the latest version beyond 1.4.7 or apply patches addressing insecure deserialization.
References
- https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L2972
- https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L3016
- https://plugins.trac.wordpress.org/changeset/3474882/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7a116f28-a560-4b54-9cd1-f1dd9ac3238d?source=cve
Social Media Activity(1 post)
š“ CVE-2026-2599 - Critical (9.8) The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it p... š https://www.thehackerwire.com/vulnerability/CVE-2026-2599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-2599
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- unconfirmed
- EPSS
- 10.7%
- Social Posts
- 1
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H