CVE-2026-3296
Received Received - Intake
PHP Object Injection in Everest Forms Plugin Allows Remote Exploitation

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3296
EUVD
EUVD-2026-20020
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
everest_forms everest_forms to 3.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Everest Forms plugin for WordPress has a vulnerability called PHP Object Injection in all versions up to and including 3.4.3. This happens because the plugin unserializes data from form entry metadata without restricting which classes can be instantiated. Attackers can inject malicious serialized PHP objects through any public form field, bypassing sanitization, and these objects are stored in the database. When an administrator views the entries, the unsafe unserialize() function processes this data, potentially leading to exploitation.

Impact Analysis

This vulnerability has a very high severity score (CVSS 9.8) and can be exploited remotely without authentication. It can lead to complete compromise of the affected WordPress site because attackers can execute arbitrary PHP code by injecting malicious objects. This can result in full control over the site, data theft, defacement, or further attacks on the hosting environment.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject malicious serialized PHP objects into form entry metadata, which can lead to full compromise of confidentiality, integrity, and availability of the affected system.

Such a high-severity vulnerability (CVSS 9.8) impacting data confidentiality and integrity could result in violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and tampering.

Therefore, organizations using the Everest Forms plugin without patching this vulnerability risk non-compliance with these common standards and regulations due to potential data breaches and unauthorized data manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart