{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3296/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3296"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","php","object-injection","rce","cve-2026-3296"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, a widely used form builder, contains a critical PHP Object Injection vulnerability (CVE-2026-3296) affecting versions up to and including 3.4.3. This vulnerability stems from the insecure deserialization of user-supplied data within the \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file. Specifically, the plugin uses PHP\u0026rsquo;s \u003ccode\u003eunserialize()\u003c/code\u003e function on form entry metadata stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table without specifying allowed classes, creating an exploitable condition. An unauthenticated attacker can inject malicious serialized PHP objects through any public form field. The \u003ccode\u003esanitize_text_field()\u003c/code\u003e function fails to prevent these attacks because it doesn\u0026rsquo;t strip serialization control characters. This allows attackers to execute arbitrary PHP code on the WordPress server when an administrator views form entries. This vulnerability poses a significant risk to WordPress sites using the Everest Forms plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker submits a malicious serialized PHP object through a public Everest Forms form field.\u003c/li\u003e\n\u003cli\u003eThe submitted payload bypasses the \u003ccode\u003esanitize_text_field()\u003c/code\u003e function due to the function\u0026rsquo;s failure to remove serialization control characters.\u003c/li\u003e\n\u003cli\u003eThe crafted serialized object is stored in the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e database table associated with the form entry.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the WordPress administration panel and navigates to the Everest Forms entries section.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehtml-admin-page-entries-view.php\u003c/code\u003e file is executed to display form entries and their associated metadata.\u003c/li\u003e\n\u003cli\u003eThe plugin retrieves the stored serialized object from the \u003ccode\u003ewp_evf_entrymeta\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize()\u003c/code\u003e function is called on the retrieved data \u003cem\u003ewithout\u003c/em\u003e the \u003ccode\u003eallowed_classes\u003c/code\u003e parameter, triggering PHP Object Injection.\u003c/li\u003e\n\u003cli\u003eThe injected PHP object is instantiated, leading to arbitrary PHP code execution on the server, potentially granting the attacker complete control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3296) can lead to complete compromise of the WordPress website. An attacker can gain remote code execution, allowing them to inject malware, deface the site, steal sensitive data (including user credentials and financial information), or use the compromised server as part of a botnet. Given the widespread use of the Everest Forms plugin, a large number of WordPress sites are potentially vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to the latest version (greater than 3.4.3) to patch CVE-2026-3296.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious unserialize Call in Everest Forms\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WordPress form submission endpoints containing serialized PHP objects, as detected by the \u003ccode\u003eDetect Suspicious Form Submission with Serialized Data\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing serialized PHP objects in form submission data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T02:16:04Z","date_published":"2026-04-08T02:16:04Z","id":"/briefs/2026-04-everest-forms-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.","title":"Everest Forms WordPress Plugin PHP Object Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-everest-forms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3296","version":"https://jsonfeed.org/version/1.1"}