WordPress Plugin Vulnerabilities

Database for Contact Form 7, WPforms, Elementor forms < 1.4.8 - Unauthenticated PHP Object Injection via 'download_csv'

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Affects Plugins

Plugin icon
contact-form-entries
Fixed in 1.4.8

References

CVE
CVE-2026-2599
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a116f28-a560-4b54-9cd1-f1dd9ac3238d

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Chiao-Lin Yu (Steven Meow)
Verified
No
WPVDB ID
10f24486-4c0c-4f17-9d4c-99728e99e11d

Timeline

Publicly Published
2026-03-04 (about 2 months ago)
Added
2026-03-05 (about 2 months ago)
Last Updated
2026-03-05 (about 2 months ago)

Other

Published
Title
Published
2025-02-27
Title
WP Activity Log < 5.3.3 - Authenticated (Admin+) PHP Object Injection
Published
2024-04-03
Title
CMB2 < 2.11.0 - Authenticated (Contributor+) PHP Object Injection
Published
2026-05-19
Title
Boost < 2.0.4 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie
Published
2025-07-08
Title
Noisa < 2.6.2 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-07-04
Title
Subscribe to Download < 2.1.0 - Unauthenticated PHP Object Injection