EUVD-2026-20020Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
AnalysisAI
PHP object injection in Everest Forms for WordPress (all versions ≤3.4.3) allows unauthenticated remote attackers to achieve critical system compromise. Attackers submit malicious serialized payloads through any public form field, which persist through sanitization into the wp_evf_entrymeta database table. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Everest Forms plugin versions ≤3.4.3 installed on WordPress; unserialize() called on entry meta values without allowed_classes parameter restriction; attacker can access any public form to inject payload; no authentication required. Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is CRITICAL despite no confirmed active exploitation (not in CISA KEV at time of analysis). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Everest Forms 3.4.3 with a public contact form. The attacker crafts a serialized PHP object payload leveraging a known WordPress POP chain (such as those in popular plugins like WooCommerce or commonly installed themes) designed to write a web shell to the uploads directory. … |
| Remediation | Immediately upgrade to Everest Forms version 3.4.4 or later, which addresses the unsafe deserialization vulnerability as documented in the changelog at https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Everest Forms ≤3.4.3 using plugin inventory tools; temporarily disable the plugin if upgrade cannot be completed immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today