CVE-2025-3439

Name of the Vulnerable Software and Affected Versions: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress versions up to, and including, 3.1.1

Description: The vulnerability allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input from the field value parameter. This makes it possible for attackers to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the presence of a POP chain in additional plugins or themes installed on the site. Over 100,000 websites are at potential risk.

Recommendations: For versions up to, and including, 3.1.1, consider disabling the field value parameter or restricting access to it until a patch is available. As a temporary workaround, avoid using the field value parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.