PHP Object Injection Vulnerability in Everest Forms Plugin for WordPress
CVE-2026-3296

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3296?

The Everest Forms plugin for WordPress is susceptible to a PHP Object Injection flaw that affects all versions up to 3.4.3. This vulnerability arises from the deserialization of untrusted input, specifically when the html-admin-page-entries-view.php file calls PHP's native unserialize() function on entry metadata. Affected instances may allow unauthenticated attackers to inject a malicious serialized PHP object payload through any public Everest Forms form field. Despite sanitization efforts using sanitize_text_field(), serialization control characters remain intact, allowing for the payload's persistence in the wp_evf_entrymeta database table. When administrators attempt to view the entries or an individual entry, the insecure unserialize() operation processes the stored data without any class restrictions, leading to potential exploitation.

Affected Version(s)

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder 0 <= 3.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/everest-forms/...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Feb 26, 2026

Credit

Karuppiah Sabari Kumar

CVE-2026-3296 Data

JSON