CVE-2025-8871

Name of the Vulnerable Software and Affected Versions Everest Forms (Pro) versions up to and including 1.9.7

Description The Everest Forms (Pro) plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the mime content type() function. This allows unauthenticated attackers to inject a PHP Object when a form with a non-required signature field and an image upload field is present on the site. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain exists on the system, an attacker could potentially delete files, retrieve sensitive data, or execute code. This vulnerability is exploitable in PHP versions prior to 8.

Recommendations Versions prior to 1.9.8 are affected. Update to a version greater than 1.9.7.