CVE-2025-52709: Critical PHP Object Injection Flaw in Everest Forms Plugin Affects 100,000+ Sites
Ddos 
A critical security vulnerability has been discovered in the Everest Forms plugin, a widely used WordPress plugin with over 100,000 active installations. Known for its versatile contact, payment, and survey forms, Everest Forms allows site owners to create forms through a simple WYSIWYG editor. However, versions 3.2.2 and below are affected by a PHP object injection vulnerability (CVE-2025-52709, CVSS 9.8), which could allow attackers to execute arbitrary code in certain environments.
The vulnerability arises from how the plugin processes serialized data within form submissions. When an administrator views a form submission in the WordPress dashboard, the plugin attempts to unserialize any serialized data found, using a custom function:
βIn the vulnerable versions of Everest Forms, the plugin provides a custom wrapper, evf_maybe_unserialize, for PHPβs unserialize function.β
While evf_maybe_unserialize correctly applies the allowed_classes filter in newer PHP versions, PHP versions below 7.1 lack this safeguard, leaving a dangerous attack surface open.
βWhen an admin reviews these submissions, if serialized data is detected, the plugin then attempts to unserialize it before displaying the contents.β
This means a malicious actor could submit crafted serialized payloads that instantiate arbitrary PHP objects, potentially triggering code execution by exploiting magic methods or flaws in unrelated PHP classes.
The vulnerability is triggered when entries are displayed in the WordPress Admin Dashboard. The column_form_field function, responsible for rendering form field data, calls the vulnerable evf_maybe_unserialize function.
An attacker could exploit this flaw by submitting malicious form data containing serialized objects. When an administrator views these submissions, the unserialization process could initialize attacker-controlled objects, opening the door to RCE (remote code execution), data exfiltration, or other forms of compromise.
The vendor, WPEverest, addressed this issue in version 3.2.3 by completely disabling unserialization for PHP versions below 7.1. All users of Everest Forms are strongly advised to update to version 3.2.3 or higher immediately.
Related Posts:
- Critical Vulnerability in Everest Forms Plugin Threatens WordPress Sites
- CVE-2025-1128: Everest Forms Plugin Exposes 100,000+ WordPress Sites to Complete Takeover
- Apple App Store Blocks $2 Billion in Fraud in 2024 Alone
- CyberArk Enterprise Password Vault application exists Remote Code Execution Vulnerability
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
