A critical security vulnerability has been discovered in the Everest Forms WordPress plugin, putting over 100,000 websites at potential risk. The vulnerability, identified as CVE-2025-3439 (CVSS 9.8), is an Unauthenticated PHP Object Injection flaw that could allow attackers to inject malicious code into vulnerable websites.
Everest Forms is a popular WordPress form builder plugin used to create various types of forms, including contact forms, quizzes, surveys, and payment forms. Itβs known for its beginner-friendly interface and extensive features, making it a widely used tool within the WordPress ecosystem.
The Everest Forms plugin is vulnerable to PHP Object Injection due to the deserialization of untrusted input from the βfield_valueβ parameter. This weakness enables unauthenticated attackers to inject a PHP Object into the websiteβs database.
PHP Object Injection is a serious vulnerability that can be exploited to manipulate data and potentially execute arbitrary code on a web server. While the Everest Forms plugin itself doesnβt contain a known POP chain (a sequence of PHP code that can be abused), the danger arises when another plugin or theme installed on the same WordPress site does contain such a chain.
If a vulnerable POP chain is present in conjunction with this Everest Forms vulnerability, attackers could perform various malicious actions, including:
Deleting arbitrary filesRetrieving sensitive dataExecuting codeThe severity of the impact depends entirely on the capabilities of the available POP chain.
The developers of Everest Forms have released version 3.1.2, which addresses this vulnerability. It is crucial for all users of the Everest Forms plugin to update to this latest version as soon as possible to mitigate the risk.