CVE-2026-12081
Received Received - Intake

Object Injection in Contact Form 7 Database Plugin

Vulnerability report for CVE-2026-12081, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator views the stored entry. This is an incomplete fix of CVE-2025-7384 and CVE-2026-2599, whose deserialization paths were hardened while the entry-editor file-field path was missed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the Database for Contact Form 7, WPforms, Elementor forms plugin version prior to 1.5.2.

Since the vulnerability involves unauthenticated PHP Object Injection through a file-upload form field, detection involves inspecting form submissions for serialized PHP objects in file fields instead of actual files.

You can also monitor the plugin's CRM Entries screen for suspicious entries containing serialized PHP objects.

Specific commands are not provided in the resources, but general approaches include:

  • Using WP-CLI to check the plugin version: `wp plugin get database-for-contact-form-7`
  • Searching the WordPress database entries for suspicious serialized PHP objects in the form entry fields.
  • Monitoring HTTP POST requests to the contact form endpoints for unusual payloads containing serialized PHP objects.
Mitigation Strategies

The immediate mitigation step is to update the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin to version 1.5.2 or later, where this vulnerability is fixed.

Until the update is applied, consider disabling or restricting access to the plugin's CRM Entries screen to prevent administrators from triggering the deserialization of malicious objects.

Additionally, review and restrict file upload fields in contact forms to prevent submission of serialized PHP objects.

Monitor your WordPress logs and database for suspicious activity related to form submissions and entries.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary PHP objects via deserialization, potentially leading to unauthorized code execution and modification of WordPress database options. Such unauthorized access and manipulation of data can lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.

Specifically, if the plugin is used on websites handling personal or sensitive data, exploitation of this vulnerability could result in data breaches or unauthorized data alteration, thereby impacting compliance with regulations that mandate strict controls over data confidentiality, integrity, and access.

Executive Summary

CVE-2026-12081 is a vulnerability in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin versions prior to 1.5.2. It involves unauthenticated PHP Object Injection through an entry file field.

The plugin does not properly restrict which PHP classes are allowed when unserializing user-supplied form-field values. This allows attackers to inject arbitrary PHP objects.

When an administrator views and saves the stored entry in the plugin's CRM Entries screen, the injected PHP object is instantiated, potentially leading to code execution.

The attack requires a published contact form with a file-upload field. An unauthenticated attacker can submit a form with a serialized PHP object in the file field instead of an actual file, which the plugin stores verbatim.

This vulnerability is an incomplete fix of previous vulnerabilities (CVE-2025-7384 and CVE-2026-2599), where deserialization paths were hardened except for the entry-editor file-field path.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the affected WordPress site.

An attacker can perform actions such as creating or modifying options in the WordPress database by injecting malicious PHP objects.

Since the attack can be performed by unauthenticated users through a published contact form, it poses a significant security risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart