CVE-2026-3296

Name of the Vulnerable Software and Affected Versions Everest Forms plugin for WordPress versions up to and including 3.4.3

Description The Everest Forms plugin for WordPress is susceptible to PHP Object Injection due to the unsafe deserialization of untrusted input from form entry metadata. The html-admin-page-entries-view.php file uses PHP's unserialize() function on stored entry meta values without specifying allowed classes. This allows unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload is stored in the wp evf entrymeta database table and processed when an administrator views entries. The sanitize text field() function does not strip serialization control characters, allowing the payload to survive sanitization.

Recommendations Update the Everest Forms plugin to a version later than 3.4.3.