We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Everest Forms Plugin Vulnerability (CVE-2026-3296)

Nick Paliughi
On this page

Security Alert Summary

The Everest Forms WordPress plugin contains a PHP Object Injection vulnerability that allows unauthenticated attackers to store serialized object payloads via form fields. The unsafe use of PHP’s unserialize() on stored entry metadata can result in high impact to confidentiality, integrity, and availability when an administrator views affected entries.

CVE Details

  • CVE ID: CVE-2026-3296
  • Affected component: Everest Forms plugin for WordPress (form entry metadata handling)
  • Affected versions: all versions up to, and including, 3.4.3
  • Published: April 8, 2026, 2:16 AM UTC
  • Last modified: April 8, 2026, 2:16 AM UTC
  • CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction: None required (Privileges Required: None, User Interaction: None)
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness (CWE): CWE-502 (Deserialization of untrusted data)

Technical Details

The plugin deserializes stored entry meta values without restrictions. Specifically, the file html-admin-page-entries-view.php calls PHP’s native unserialize() on values retrieved from the entry metadata table. The call does not supply the allowed_classes parameter, which means any serialized object data can be instantiated during unserialization.

Attackers can submit a serialized PHP object payload through any public Everest Forms form field. The payload survives the plugin’s sanitize_text_field() sanitization because serialization control characters are not stripped, and the data is stored in the wp_evf_entrymeta database table. When an administrator views the entries list or an individual entry, the unsafe unserialize() call processes the stored payload without class restrictions, enabling PHP Object Injection.

The vulnerability exists in the handling of stored form entry metadata and is triggered by viewing entries in the WordPress admin that cause the unsafe unserialize to run.

How This Could Impact Your Website

In a typical small or medium business site, an external visitor could submit a specially crafted form entry that stores a serialized object in entry metadata. That entry might be created through a public form used for contact, feedback, or other submissions. When an internal staff member or administrator opens the entries page to review submissions, the unsafe unserialize() call could process the injected object.

Potential practical consequences include exposure or manipulation of data accessible through the running PHP process, which can increase the risk of data leakage, tampering, or service disruption consistent with the CVSS impacts. For example, internal user email addresses stored or accessible via the application could be exposed, increasing the risk of targeted phishing or social engineering against staff or contractors.

If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit content.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and admin access logs for unusual behavior, especially views of form entries after public submissions.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder Plugin Vulnerability (CVE-2026-1865)
Next Post
Awesome Support – WordPress HelpDesk & Support Plugin Vulnerability (CVE-2026-4654)