Cyber Resilience

CVE-2026-3296

CriticalRCE

Published: 08 April 2026

Published
08 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 54.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-3296 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3296 is a PHP Object Injection vulnerability (CWE-502) affecting the Everest Forms plugin for WordPress in all versions up to and including 3.4.3. The issue arises from the use of PHP's native unserialize() function without the allowed_classes parameter on untrusted input stored as form entry metadata. Specifically, the file includes/admin/views/html-admin-page-entries-view.php calls unserialize() on data from the wp_evf_entrymeta database table, as referenced in the plugin's code at line 133. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability by submitting a serialized PHP object payload through any public Everest Forms form field. The payload bypasses sanitize_text_field() sanitization, as serialization control characters are preserved, and gets stored in the wp_evf_entrymeta table via functions like those in includes/evf-core-functions.php at line 5594. Exploitation occurs when a site administrator views form entries or an individual entry, triggering the unsafe unserialize() call and potentially allowing arbitrary code execution depending on available PHP gadgets.

References to the WordPress plugin trac indicate mitigation in version 3.4.4, with changesets showing updates from tags/3.4.3 to tags/3.4.4, including modifications to readme.txt and the affected html-admin-page-entries-view.php file in the trunk. Security practitioners should update to Everest Forms 3.4.4 or later to address the deserialization flaw.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize()…

more

on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

PHP object injection in public WordPress form plugin directly enables unauthenticated exploitation of a public-facing web application (T1190) via crafted serialized payloads that survive sanitization and trigger RCE on admin entry viewing; common gadget chains allow writing a web shell (T1100) for persistent code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2017-20207Shared CWE-502
CVE-2025-31103Shared CWE-502
CVE-2026-27369Shared CWE-502
CVE-2026-25031Shared CWE-502
CVE-2025-55010Shared CWE-502
CVE-2026-25029Shared CWE-502
CVE-2017-20208Shared CWE-502
CVE-2026-35537Shared CWE-502
CVE-2026-2471Shared CWE-502
CVE-2025-62368Shared CWE-502

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the PHP Object Injection by updating the Everest Forms plugin to version 3.4.4 or later, which modifies the unsafe unserialize() call in html-admin-page-entries-view.php.

prevent

Validates untrusted form entry metadata inputs to block serialized PHP object payloads before storage in the wp_evf_entrymeta table.

prevent

Implements memory protections such as ASLR and DEP to mitigate arbitrary code execution from deserialized PHP object gadgets during admin entry views.

References