CVE-2026-2599

Name of the Vulnerable Software and Affected Versions The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress versions up to and including 1.4.7

Description The plugin is susceptible to PHP Object Injection due to deserialization of untrusted input within the download csv function. This allows unauthenticated attackers to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed on the same site. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code.

Recommendations Versions prior to 1.4.7 should be updated. As a temporary workaround, consider restricting access to the download csv function until a patch is available.