100,000+ Sites Exposed: Critical 9.8 CVSS Flaw Hits Everest Forms WordPress Plugin
Ddos 
Everest Forms, a popular WordPress plugin trusted by over 100,000 websites for building everything from simple contact forms to complex applications, has addressed a critical security vulnerability. The flaw, tracked as CVE-2026-3296, carries a CVSS score of 9.8, signaling a severe risk to unpatched WordPress environments.
The plugin is widely known for its versatile drag-and-drop builder, payment processing, and survey tools. However, versions up to and including 3.4.3 contain a dangerous unauthenticated PHP Object Injection vulnerability that could allow attackers to execute arbitrary code on the server.
The vulnerability stems from how the plugin handles form entry metadata. Specifically, the html-admin-page-entries-view.php file calls PHP’s native unserialize() function on stored metadata values without implementing proper class restrictions.
Because the plugin fails to pass the allowed_classes parameter during this process, unauthenticated attackers can exploit the following chain:
- Injection: An attacker submits a serialized PHP object payload through any public form field.
- Persistence: The payload survives standard sanitize_text_field() sanitization—as serialization control characters are not stripped—and is stored in the wp_evf_entrymeta database table.
- Execution: When an administrator simply views the form entries or inspects an individual entry, the unsafe unserialize() call processes the malicious data, triggering the object injection.
The “Critical” rating reflects the fact that this attack requires no authentication and can be triggered by any visitor to a site’s public forms. A successful exploit could lead to full site takeover, data theft, or the installation of persistent backdoors, depending on the available “POP chains” (Property Oriented Programming) within the site’s other active plugins or themes.
This vulnerability impacts all versions up to, and including, 3.4.3.
The developers have moved quickly to secure the plugin. A patched version, 3.4.4, is now available and addresses the unsafe deserialization issue.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
