Platform
wordpress
Component
everest-forms
Fixed in
3.4.4
3.4.4
CVE-2026-3296 is a critical vulnerability affecting the Everest Forms plugin for WordPress. This flaw allows an unauthenticated attacker to inject a serialized PHP object payload through any public form field, potentially leading to Remote Code Execution (RCE). The vulnerability impacts versions of Everest Forms up to and including 3.4.3, but a fix is available in version 3.4.4.
CVE-2026-3296 in the Everest Forms WordPress plugin represents a critical risk due to PHP Object Injection. This flaw allows unauthenticated attackers to execute malicious code on a vulnerable WordPress site. The issue lies within the html-admin-page-entries-view.php file, which utilizes the unserialize() function without proper validation of form input. This means an attacker can inject a serialized PHP object payload through any public Everest Forms form field, compromising website security. The CVSS score of 9.8 indicates an extremely high risk, suggesting easy exploitation and potentially devastating impact, including server takeover.
An attacker can exploit this vulnerability by submitting an Everest Forms form with a malicious serialized PHP payload. This payload, injected into any field of the form, will be deserialized when processed by the html-admin-page-entries-view.php file. The lack of validation allows the malicious code to execute, granting the attacker control over the website. Exploitation does not require authentication, meaning anyone with access to a public Everest Forms form can attempt to exploit the vulnerability. The ease of exploitation and lack of authentication make this vulnerability a significant threat to WordPress sites using the Everest Forms plugin.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The immediate solution to mitigate this risk is to update the Everest Forms plugin to version 3.4.4 or higher. This update corrects the vulnerability by implementing proper validation of input before deserialization. Additionally, review all existing form entries for potential malicious payloads. As a preventative measure, restrict access to the WordPress admin area and use strong passwords. Implementing a Web Application Firewall (WAF) can help detect and block exploitation attempts. Regular security audits and keeping all plugins and the WordPress core updated are essential practices for maintaining a secure website.
Update to version 3.4.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
PHP Object Injection is a vulnerability that allows an attacker to execute malicious code on a server by injecting serialized PHP objects that are deserialized without validation.
If you are using a version of Everest Forms prior to 3.4.4, your site is vulnerable. Check the plugin version in the WordPress admin dashboard.
Immediately change all WordPress passwords, including the database password. Perform a thorough scan of the site for modified or suspicious files. Consider restoring a clean backup of the site.
There are static and dynamic code analysis tools that can help detect injected payloads in PHP files. You can also search for suspicious patterns in the database.
Keep WordPress, plugins, and themes updated. Use strong passwords. Implement a Web Application Firewall (WAF). Perform regular site backups.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.