CVE-2026-49104

CRM Perks · Integration for Keap/infusionsoft

An unauthenticated PHP Object Injection vulnerability in the CRM Perks Integration for Keap/infusionsoft allows remote attackers to perform deserialization of untrusted data.

Executive summary

A critical unauthenticated PHP Object Injection vulnerability in the CRM Perks Integration for Keap/infusionsoft plugin creates a high risk of remote system compromise.

Vulnerability

The vulnerability allows remote, unauthenticated attackers to perform deserialization of untrusted data. This flaw, classified as CWE-502, enables the execution of arbitrary code by injecting malicious PHP objects into the application.

Business impact

With a CVSS score of 9.8, this vulnerability represents a critical risk to the confidentiality, integrity, and availability of the affected system. Exploitation would likely grant an attacker full administrative control over the WordPress installation, facilitating data theft and potential backend system infiltration.

Remediation

Immediate Action: Update the CRM Perks Integration for Keap/infusionsoft plugin to the latest version immediately to patch the insecure deserialization vulnerability.

Proactive Monitoring: Monitor server logs for unauthorized access attempts or suspicious serialized object patterns frequently associated with PHP injection attacks.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect incoming traffic and block requests containing suspicious serialized PHP payloads.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is critical and requires urgent attention. System administrators must prioritize updating the affected plugin to the latest version to eliminate the risk of unauthenticated remote code execution.