Description
The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability is only exploitable in PHP versions prior to 8.
Published: 2025-11-05
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated PHP Object Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows unauthenticated attackers to inject a PHP object through deserialization of untrusted data in the mime_content_type() function when a form contains an optional signature field and an image upload field. The injection alone does not provide a payload, but it can be leveraged if another plugin or theme supplies a PHP Object Persistence (POP) chain, enabling deletion of files, data disclosure, or code execution. The flaw is limited to PHP versions earlier than 8, so modern PHP installations are not affected.

Affected Systems

The affected product is Everest Forms Pro, available from WPEverest, with all releases up to and including version 1.9.7 vulnerable. The flaw manifests only when the plugin is installed on a WordPress site containing a form that has an optional signature field and an image upload field.

Risk and Exploitability

The CVSS score is 5.6, indicating a moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires unauthenticated access to the vulnerable form; no known exploit has been publicly documented. If a POP chain exists on the site, the attacker could achieve significant impact, but without such a chain the risk is comparatively low.

Generated by OpenCVE AI on April 22, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Everest Forms Pro to version 1.9.8 or later.
  • Upgrade the site’s PHP runtime to version 8.0 or newer, as the flaw is limited to older PHP versions.
  • If an update is not immediately possible, remove or disable optional signature fields or image upload fields from forms to mitigate the injection risk or restrict form usage to trusted users.

Generated by OpenCVE AI on April 22, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 05 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms

Wed, 05 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability is only exploitable in PHP versions prior to 8.
Title Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpeverest Everest Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:17.762Z

Reserved: 2025-08-11T18:17:12.289Z

Link: CVE-2025-8871

cve-icon Vulnrichment

Updated: 2025-11-05T18:56:18.636Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T03:15:42.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:00:18Z

Weaknesses