[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIK-GGhnvv9DXh0W55ZneavjOeeJx_BoFlfIH7NyZBEQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":41,"poc_video_id":9,"poc_summary":42,"poc_steps":43,"poc_tested_at":44,"poc_wp_version":45,"poc_php_version":46,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":47,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":48},"CVE-2026-3296","everest-forms-unauthenticated-php-object-injection-via-form-entry-metadata","Everest Forms \u003C= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata","The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.","everest-forms",null,"\u003C=3.4.3","3.4.4","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-07 11:35:53","2026-04-08 01:24:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=api-prod",1,[22,23,24,25,26,27,28,29],"addons\u002FCleanTalk\u002FCleanTalk.php","addons\u002FCleanTalk\u002FSettings\u002FSettings.php","addons\u002FStyleCustomizer\u002Fassets\u002Fcss\u002Fcustomize-controls.scss","assets\u002Fcss\u002F_confirm.scss","assets\u002Fcss\u002Fadmin-rtl.css","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.scss","assets\u002Fcss\u002Fcomponents\u002F_accordion.scss","researched",false,3,"# Research Plan: CVE-2026-3296 - Everest Forms Unauthenticated PHP Object Injection\n\n## 1. Vulnerability Summary\nThe **Everest Forms** plugin (versions \u003C= 3.4.3) is vulnerable to **PHP Object Injection** due to the insecure use of the native PHP `unserialize()` function. The vulnerability exists in the way form entry metadata is retrieved and displayed in the WordPress administrative dashboard.\n\nAn unauthenticated attacker can submit a form containing a serialized PHP object payload in any field. This payload is stored in the `wp_evf_entrymeta` table. When an administrator views the \"Entries\" section of the plugin, the `html-admin-page-entries-view.php` file processes this stored metadata using `unserialize()` without restricting the allowed classes. This allows the execution of arbitrary code if a suitable POP (Property-Oriented Programming) gadget chain is present in the environment (e.g., within WordPress core or other active plugins).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (Front-end form submission).\n*   **Action:** `everest_forms_submit_form` (inferred action for form submission).\n*   **Vulnerable Parameter:** Any form field parameter (e.g., `form_fields[field_id]`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** \n    1.  At least one Everest Forms form must be published and accessible on the frontend.\n    2.  An administrator must eventually view the submitted entry in the WP-Admin area.\n\n## 3. Code Flow\n1.  **Submission (Unauthenticated):**\n    *   The user submits a form on the frontend.\n    *   The request is processed by `EVF_Frontend_Form_Handler::submit_form()` (or similar class responsible for submission).\n    *   The plugin iterates through fields and applies `sanitize_text_field()`.\n    *   **Critical Note:** `sanitize_text_field()` does not remove characters critical to PHP serialization (like `O:`, `a:`, `{}`).\n    *   The data is saved into the database table `wp_evf_entrymeta`.\n\n2.  **Triggering (Admin):**\n    *   Administrator navigates to `wp-admin\u002Fadmin.php?page=evf-entries`.\n    *   The plugin loads `includes\u002Fadmin\u002Fviews\u002Fhtml-admin-page-entries-view.php`.\n    *   The code retrieves entry meta: `$entry_meta = $wpdb->get_results(...)`.\n    *   The code iterates through the meta values and calls `unserialize( $meta_value->meta_value )`.\n    *   The PHP Object Injection is triggered at this point.\n\n## 4. Nonce Acquisition Strategy\nForm submissions in Everest Forms are protected by a frontend nonce.\n\n1.  **Identify the Script\u002FVariable:** Everest Forms typically localizes parameters under the handle `everest-forms-frontend`.\n2.  **Target Variable:** `window.evf_frontend_params` (inferred).\n3.  **Target Key:** `nonce`.\n4.  **Acquisition Steps:**\n    *   Use WP-CLI to create a form and a page containing that form's shortcode.\n    *   Use the `browser_navigate` tool to go to the newly created page.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        window.evf_frontend_params?.nonce || document.querySelector('#everest-forms-nonce')?.value\n        ```\n    *   Note: If the `CleanTalk` addon is active, it enqueues a different nonce (`everest_forms_clean_talk_nonce`), but this is for admin settings and likely not the submission nonce.\n\n## 5. Exploitation Strategy\n\n### Step 1: Payload Selection\nSince we need to confirm the injection, we will use a gadget chain that produces an observable side effect. A common gadget for WordPress is `GuzzleHttp\\Cookie\\CookieJar` (if available) or a generic `__destruct` trigger that logs to a file. For initial PoC, a \"dummy\" serialized object can be used to confirm if `unserialize` is reached.\n\n**Payload Example (Generic):**\n`O:8:\"stdClass\":1:{s:3:\"abc\";s:3:\"def\";}`\n\n### Step 2: Submission Request\nSubmit the payload via the AJAX submission endpoint.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `everest_forms_submit_form`\n    *   `everest_forms[id]`: `\u003Cform_id>`\n    *   `everest_forms_nonce`: `\u003Cextracted_nonce>`\n    *   `form_fields[\u003Cfield_id>]`: `O:8:\"stdClass\":1:{s:3:\"abc\";s:3:\"def\";}` (URL-encoded)\n\n### Step 3: Triggering\nLogin as an administrator and access the entry viewer.\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin.php?page=evf-entries&view=entries&form_id=\u003Cform_id>`\n\n## 6. Test Data Setup\n1.  **Create a Form:**\n    ```bash\n    wp evf-form create --title=\"Exploit Form\" --status=\"publish\"\n    ```\n    *(Note: If `evf-form` command doesn't exist, use `wp post create` with post_type `everest_forms` and appropriate JSON in `post_content`.)*\n2.  **Extract Form ID and Field ID:** Retrieve the ID from the previous command or `wp post list --post_type=everest_forms`.\n3.  **Create a Public Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact\" --post_content='[everest_form id=\"\u003Cform_id>\"]' --post_status=\"publish\"\n    ```\n\n## 7. Expected Results\n*   The form submission should return a success JSON: `{\"success\":true,...}`.\n*   Upon viewing entries as an admin, if a malicious gadget is used (e.g., one that calls `wp_die()`), the admin page will crash or display the `wp_die` message, confirming execution.\n*   If using a dummy object, we can verify it was stored correctly in the database.\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the payload is stored in the `wp_evf_entrymeta` table without being mangled.\n    ```bash\n    wp db query \"SELECT * FROM $(wp db prefix)evf_entrymeta WHERE meta_value LIKE 'O:%';\"\n    ```\n2.  **Execution Check:** Use a gadget that creates a file in `wp-content\u002F` and verify its existence using `ls`.\n\n## 9. Alternative Approaches\n*   **Direct POST:** Some versions allow submitting directly to the page containing the shortcode via a standard `POST` request (non-AJAX).\n*   **Different Entry Points:** If `evf-entries` doesn't trigger it, try the individual entry view: `wp-admin\u002Fadmin.php?page=evf-entries&view=view-entry&entry_id=\u003Centry_id>`.\n*   **Gadget Chains:** If `GuzzleHttp` isn't present, check for `Requests` (WordPress core) or other common libraries used by Everest Forms.","The Everest Forms plugin for WordPress (versions \u003C= 3.4.3) is vulnerable to unauthenticated PHP Object Injection due to improper use of the native PHP unserialize() function on form entry metadata. Attackers can submit malicious serialized objects through form fields, which are stored in the database and executed when an administrator views the submissions in the dashboard.","\u002F\u002F includes\u002Fadmin\u002Fviews\u002Fhtml-admin-page-entries-view.php\n\n\u002F\u002F The code retrieves entry meta and attempts to deserialize it without class restrictions:\n$entry_meta = $wpdb->get_results( ... );\n\nforeach ( $entry_meta as $meta_value ) {\n    \u002F\u002F ...\n    $meta_val = unserialize( $meta_value->meta_value );\n    \u002F\u002F ...\n}","--- a\u002Fincludes\u002Fadmin\u002Fviews\u002Fhtml-admin-page-entries-view.php\n+++ b\u002Fincludes\u002Fadmin\u002Fviews\u002Fhtml-admin-page-entries-view.php\n@@ -124,7 +124,7 @@\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tif ( is_serialized( $meta_value->meta_value ) ) {\n-\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t$meta_val = unserialize( $meta_value->meta_value );\n+\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t$meta_val = unserialize( $meta_value->meta_value, array( 'allowed_classes' => false ) );\n \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tif ( is_array( $meta_val ) ) {","1. Access a public page containing an Everest Forms form and extract the submission nonce from 'window.evf_frontend_params'.\n2. Construct a PHP Object Injection payload using an available POP gadget chain.\n3. Send an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'everest_forms_submit_form' and the malicious payload in a form field parameter.\n4. The payload is stored in the 'wp_evf_entrymeta' table as part of the submission metadata.\n5. Trigger the payload by having an administrator visit the 'Entries' management page ('wp-admin\u002Fadmin.php?page=evf-entries') in the WordPress backend, where the plugin insecurely deserializes the stored value.","gemini-3-flash-preview","2026-04-17 20:53:28","2026-04-17 20:53:49","failed","All models in the chain (gemini-3-flash-preview, claude-opus-4-6) failed to produce a verified exploit.",[],"2026-04-18 13:20:45","6.7","8.3",true,{"type":49,"vulnerable_version":50,"fixed_version":11,"vulnerable_browse":51,"vulnerable_zip":52,"fixed_browse":53,"fixed_zip":54,"all_tags":55},"plugin","3.4.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags\u002F3.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feverest-forms.3.4.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags\u002F3.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feverest-forms.3.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags"]