PHP Object Injection Vulnerability in Everest Forms (Pro) for WordPress
CVE-2025-8871

5.6MEDIUM

Key Information:

Vendor: WordPress
Status: Everest Forms Pro
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-8871?

The Everest Forms (Pro) plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input during the deserialization process in the mime_content_type() function. Unauthenticated attackers can exploit this flaw when a form contains a non-required signature field paired with an image upload field. Notably, this vulnerability does not directly compromise the application unless a compatible PHP Object Pollution (POP) chain exists through other installed plugins or themes. If such a chain is present, it could enable attackers to delete files, access sensitive information, or execute malicious code, primarily in systems running PHP versions prior to 8.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Everest Forms Pro * <= 1.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://everestforms.net/changelog/

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Aug 11, 2025

Credit

Alex Thomas

JSON

WordPress