CVE-2026-3296 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-3296 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-3296 is a PHP Object Injection vulnerability in the Everest Forms plugin for WordPress, affecting all versions up to and including 3.4.3, triggered through deserialization of untrusted input supplied via form entry metadata.

Technical Detail

The flaw exists because the plugin deserializes user-controlled data from form entry metadata without adequate validation or sanitization, allowing an attacker to inject a crafted serialized PHP object. If a suitable gadget chain is present in the WordPress environment, this can lead to remote code execution, arbitrary file deletion, or other high-impact outcomes depending on the available class hierarchy. The attack surface is exposed to any user capable of submitting a form, which in many deployments means unauthenticated or low-privileged users, consistent with the CVSS 9.8 critical score.

Exploitation Status

No known exploit has been publicly documented or confirmed as of April 15, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. While no proof-of-concept code has been identified in public repositories, PHP Object Injection vulnerabilities with accessible attack surfaces are historically attractive targets and can be weaponized relatively quickly once a viable gadget chain is identified in a target environment.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this CVE. WordPress plugin vulnerabilities of this class are frequently exploited opportunistically by automated scanning tools and low-sophistication actors once exploitation details become public, so the risk profile may change rapidly.

What To Do

Update the Everest Forms plugin to a version beyond 3.4.3 immediately. Site administrators should verify the installed version via the WordPress dashboard and apply the patch as a priority given the critical CVSS score and the unauthenticated or low-privilege attack surface. If an immediate update is not possible, consider temporarily disabling the plugin or restricting form submission access to authenticated users only as a compensating control. Monitor server logs and PHP error logs for unexpected deserialization activity or anomalous object instantiation patterns. Ensure that no unnecessary PHP classes with destructive gadget chain potential are loaded in the application environment, and review any WAF rules to flag or block serialized PHP payloads in form submission fields.