An unauthenticated PHP Object Injection vulnerability in Everest Forms allows remote attackers to execute arbitrary code on the host server.

The plugin processes stored form entry metadata using an unsafe unserialize() call without class restrictions. This allows unauthenticated attackers to inject malicious serialized objects through form fields, which are then processed by administrative pages.

This vulnerability carries a CVSS score of 9.8, reflecting the potential for full Remote Code Execution (RCE). Successful exploitation could result in complete site takeover, database compromise, and further lateral movement within the hosting environment.

Immediate Action: Update the Everest Forms plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor for unusual database entries in the wp_evf_entrymeta table and audit server logs for suspicious PHP execution patterns.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block malicious serialized PHP objects in HTTP requests.

Public Exploit Available: No

PHP Object Injection is a high-risk vulnerability that requires immediate remediation. Users of the Everest Forms plugin must update immediately and review all form entries for signs of malicious injection.