Cyber Posture

CVE-2026-2599

Critical

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for…

more

unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation and patching of the PHP object injection flaw via deserialization in the Database for Contact Form 7 plugin up to version 1.4.7.

CM-11 User-installed Software good match
prevent

Prohibits or controls user-installed software such as unapproved WordPress plugins, preventing deployment of the vulnerable Database for Contact Form 7 plugin.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Requires vulnerability scanning to identify the presence of CVE-2026-2599 in installed WordPress plugins and potential POP chain enablers.

Security SummaryAI

CVE-2026-2599 is a PHP Object Injection vulnerability (CWE-502) in the Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress, affecting all versions up to and including 1.4.7. The issue arises from deserialization of untrusted input in the 'download_csv' function, enabling attackers to inject a PHP Object. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious input to the deserialization process. Although no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin, the injection has no practical impact unless a compatible POP chain is provided by another plugin or theme on the target site. In such cases, exploitation could lead to severe consequences, including deletion of arbitrary files, retrieval of sensitive data, or arbitrary code execution, depending on the specific POP chain available.

Advisories and plugin repository references highlight mitigation through patching. The Wordfence threat intelligence page provides detailed analysis (vulnerability ID 7a116f28-a560-4b54-9cd1-f1dd9ac3238d), while Trac repository changesets, including 3474882, address the issue in the 'contact-form-entries.php' file around lines 2972 and 3016. Security practitioners should urge site owners to update the plugin immediately and audit for co-installed plugins or themes that might supply exploitable POP chains.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a critical unauthenticated PHP Object Injection in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application for potential RCE or other impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References