Description
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
Published: 2026-04-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject a serialized PHP object via any public form field in the Everest Forms plugin. The stored entry metadata is unserialized without class restrictions when an administrator views entries, enabling arbitrary code execution. The object survives WordPress sanitization, so the attack does not require authentication to submit the payload. Successful exploitation can compromise confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

WordPress installations running the Everest Forms plugin (wpeverest:Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder) with version 3.4.3 or earlier are affected. No other products or versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as critical, with no EPSS data available. It is not listed in the CISA KEV catalogue. The attack vector is likely from a public form that an unauthenticated user can submit data to the site. The prerequisite for exploitation is that an attacker can retain a crafted serialized payload; the exploit is triggered only when an administrator later accesses the entry view, at which point the unserialize call processes the malicious data. Given the high severity and the potential for full code execution on the host, the risk is high and the likelihood of exploitation is significant in environments where the plugin is not upgraded.

Generated by OpenCVE AI on April 8, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Everest Forms to version 3.4.4 or later to apply the vendor fix.
  • Verify that the plugin has been updated by checking the plugin version in the WordPress admin panel.
  • If an update cannot be applied immediately, remove or deactivate the Everest Forms plugin to eliminate the risk source.
  • Limit the ability to view or manage form entries to super‑admin roles only, reducing the window for an attacker’s payload to be unserialized.
  • Monitor the wp_evf_entrymeta table and WordPress logs for unusual serialized entries and account activity.

Generated by OpenCVE AI on April 8, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
Title Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpeverest Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:45.183Z

Reserved: 2026-02-26T20:09:26.417Z

Link: CVE-2026-3296

cve-icon Vulnrichment

Updated: 2026-04-08T14:21:46.392Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T02:16:04.067

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:44:12Z

Weaknesses