Kuaile

Name of the Vulnerable Software and Affected Versions: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress versions up to, and including, 3.1.1 Description: The vulnerability allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input from the `field value` parameter. This makes it possible for attackers to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the presence of a POP chain in additional plugins or themes installed on the site. Over 100,000 websites are at potential risk. Recommendations: For versions up to, and including, 3.1.1, consider disabling the `field value` parameter or restricting access to it until a patch is available. As a temporary workaround, avoid using the `field value` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.