CVE-2026-3296 (GCVE-0-2026-3296)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:24 – Updated: 2026-04-08 16:42
VLAI?
Title
Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata
Summary
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
wpeverest Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Affected: 0 , ≤ 3.4.3 (semver)
Create a notification for this product.
Credits
Karuppiah Sabari Kumar
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3296",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T14:21:41.571035Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T14:21:50.499Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey \u0026 Custom Form Builder",
          "vendor": "wpeverest",
          "versions": [
            {
              "lessThanOrEqual": "3.4.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Karuppiah Sabari Kumar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP\u0027s native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:42:45.183Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753\u0026old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3\u0026new_path=/everest-forms/tags/3.4.4"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-26T20:24:52.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-07T11:35:53.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Everest Forms \u003c= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-3296",
    "datePublished": "2026-04-08T01:24:43.946Z",
    "dateReserved": "2026-02-26T20:09:26.417Z",
    "dateUpdated": "2026-04-08T16:42:45.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-3296",
      "date": "2026-04-17",
      "epss": "0.00026",
      "percentile": "0.07085"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-3296\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-04-08T02:16:04.067\",\"lastModified\":\"2026-04-08T21:26:35.910\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP\u0027s native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753\u0026old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3\u0026new_path=/everest-forms/tags/3.4.4\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3296\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T14:21:41.571035Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T14:21:46.392Z\"}}], \"cna\": {\"title\": \"Everest Forms \u003c= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Karuppiah Sabari Kumar\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"wpeverest\", \"product\": \"Everest Forms \\u2013 Contact Form, Payment Form, Quiz, Survey \u0026 Custom Form Builder\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.4.3\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-26T20:24:52.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-04-07T11:35:53.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753\u0026old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3\u0026new_path=/everest-forms/tags/3.4.4\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP\u0027s native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-08T16:42:45.183Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-3296\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T16:42:45.183Z\", \"dateReserved\": \"2026-02-26T20:09:26.417Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-04-08T01:24:43.946Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.