PHP Object Injection Vulnerability in Everest Forms (Pro) for WordPress
CVE-2025-8871

5.6MEDIUM

Key Information:

Vendor: WordPress
Status: Everest Forms Pro
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-8871?

The Everest Forms (Pro) plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input during the deserialization process in the mime_content_type() function. Unauthenticated attackers can exploit this flaw when a form contains a non-required signature field paired with an image upload field. Notably, this vulnerability does not directly compromise the application unless a compatible PHP Object Pollution (POP) chain exists through other installed plugins or themes. If such a chain is present, it could enable attackers to delete files, access sensitive information, or execute malicious code, primarily in systems running PHP versions prior to 8.

Affected Version(s)

Everest Forms Pro * <= 1.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://everestforms.net/changelog/

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Aug 11, 2025

Credit

Alex Thomas

JSON