{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3296", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-26T20:09:26.417Z", "datePublished": "2026-04-08T01:24:43.946Z", "dateUpdated": "2026-04-08T16:42:45.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:45.183Z"}, "affected": [{"vendor": "wpeverest", "product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey & Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions."}], "title": "Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Karuppiah Sabari Kumar"}], "timeline": [{"time": "2026-02-26T20:24:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T11:35:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:21:41.571035Z", "id": "CVE-2026-3296", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:21:50.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:21:41.571035Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:21:46.392Z"}}], "cna": {"title": "Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata", "credits": [{"lang": "en", "type": "finder", "value": "Karuppiah Sabari Kumar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpeverest", "product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey & Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-26T20:24:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T11:35:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594"}, {"url": "https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4"}], "descriptions": [{"lang": "en", "value": "The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:45.183Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3296", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:45.183Z", "dateReserved": "2026-02-26T20:09:26.417Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T01:24:43.946Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions."}], "id": "CVE-2026-3296", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T02:16:04.067", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey & Custom Form Builder", "source": "cna", "vendor": "wpeverest"}, "product": "everest_forms_\u2013_contact_form,_payment_form,_quiz,_survey_&_custom_form_builder", "vendor": "wpeverest"}], "analysis": {"en": {"generated_at": "2026-04-08T02:20:58.923817+00:00", "value": {"mitigation_remediation": ["Upgrade Everest Forms to version 3.4.4 or later to apply the vendor fix.", "Verify that the plugin has been updated by checking the plugin version in the WordPress admin panel.", "If an update cannot be applied immediately, remove or deactivate the Everest Forms plugin to eliminate the risk source.", "Limit the ability to view or manage form entries to super\u2011admin roles only, reducing the window for an attacker\u2019s payload to be unserialized.", "Monitor the wp_evf_entrymeta table and WordPress logs for unusual serialized entries and account activity.\n"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Everest Forms plugin (wpeverest:Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey & Custom Form Builder) with version 3.4.3 or earlier are affected. No other products or versions are listed as vulnerable.\n", "description_and_impact": "The vulnerability allows an attacker to inject a serialized PHP object via any public form field in the Everest Forms plugin. The stored entry metadata is unserialized without class restrictions when an administrator views entries, enabling arbitrary code execution. The object survives WordPress sanitization, so the attack does not require authentication to submit the payload. Successful exploitation can compromise confidentiality, integrity, and availability of the affected WordPress site.\n", "risk_and_exploitability": "The CVSS score of 9.8 marks the issue as critical, with no EPSS data available. It is not listed in the CISA KEV catalogue. The attack vector is likely from a public form that an unauthenticated user can submit data to the site. The prerequisite for exploitation is that an attacker can retain a crafted serialized payload; the exploit is triggered only when an administrator later accesses the entry view, at which point the unserialize call processes the malicious data. Given the high severity and the potential for full code execution on the host, the risk is high and the likelihood of exploitation is significant in environments where the plugin is not upgraded.\n"}}}}, "created": "2026-04-08T19:33:35.147895+00:00", "updated": "2026-04-08T19:44:12.922143+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpeverest", "wpeverest$PRODUCT$everest_forms_\u2013_contact_form,_payment_form,_quiz,_survey_&_custom_form_builder"]}