CVE-2026-12081
Description
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator views the stored entry. This is an incomplete fix of CVE-2025-7384 and CVE-2026-2599, whose deserialization paths were hardened while the entry-editor file-field path was missed.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Database for Contact Form 7, WPforms, Elementor forms | — | 0 < 1.5.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-502 Deserialization of Untrusted Data |