A critical vulnerability has been identified in the wpeverest Everest Forms plugin for WordPress, specifically related to the Frontend Listing add-on. This flaw, rated 9.8 out of 10, allows an unauthenticated attacker to inject malicious code and potentially gain complete control over the affected website. Successful exploitation could lead to data theft, website defacement, or the server being used for further malicious activities.

The vulnerability is a Deserialization of Untrusted Data, which leads to PHP Object Injection. The application improperly handles user-supplied data when processing form listings. An unauthenticated remote attacker can send a specially crafted serialized PHP object to the application. When the application deserializes this malicious data, the object is created in memory, and its code can be executed, resulting in arbitrary code execution on the web server with the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit could lead to a full compromise of the web server hosting the WordPress site. The potential business impacts are severe and include theft of sensitive data (such as customer information, user credentials, and payment details), complete website defacement, disruption of business operations, and significant reputational damage. The compromised server could also be leveraged to attack other internal systems or to distribute malware, creating further legal and financial liabilities for the organization.

Immediate Action: Immediately update the wpeverest Everest Forms plugin and all associated add-ons to the latest version provided by the vendor to patch this vulnerability. After applying the update, it is critical to review web server and application access logs for any suspicious activity or exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Security teams should look for unusual POST requests in web server logs, particularly those containing long, base64-encoded, or complex strings indicative of serialized PHP objects. Monitor the file system for the creation of unexpected files (e.g., PHP webshells) in web-accessible directories, and watch for anomalous system behavior such as unexpected outbound network connections or high CPU utilization from the web server process.

Compensating Controls: If immediate patching is not feasible, consider the following controls to mitigate risk:

• Web Application Firewall (WAF): Deploy or update a WAF with rules specifically designed to detect and block PHP object injection and deserialization attacks.
• Disable Plugin: If the functionality is not business-critical, temporarily disable the "Everest Forms" and "Everest Forms - Frontend Listing" plugins until patching can be completed.
• Access Control: Restrict access to the website and any form submission endpoints to trusted IP ranges, if applicable.

Public Exploit Available: False

Due to the critical severity (CVSS 9.8) of this vulnerability, which allows for unauthenticated remote code execution, we recommend immediate and urgent action. All instances of the wpeverest Everest Forms plugin and its add-ons must be updated to a patched version without delay. Although this vulnerability is not yet on the CISA KEV list, its potential impact warrants treating it with the highest priority. If patching cannot be performed immediately, the plugin should be disabled to prevent compromise of the web server.