Critical Vulnerability Impacting Over 100K Sites Patched in Everest Forms Plugin

The security vulnerability

In version 3.2.2 and below, Everest Forms is vulnerable to PHP object injection in certain WordPress environments when an Administrator user views form submissions. The plugin allows forms to be submitted with serialized data in many fields. When an admin reviews these submissions, if serialized data is detected, the plugin then attempts to unserialize it before displaying the contents.

A PHP object injection vulnerability can be exploited by passing a serialized string that initializes an instance of a different PHP class, also potentially passing data to this class initialization. This type of vulnerability can be used to exploit flaws in other classes, even ones not directly used by the plugin, leading to a range of potential impacts. You can learn more about PHP object injection in our Academy article.

In the vulnerable versions of Everest Forms, the plugin provides a custom wrapper, evf_maybe_unserialize, for PHP’s unserialize function. While this wrapper correctly applies the allowed_classes filter to prevent initializing new objects on modern PHP versions, the wrapper does not use these filters on older (< 7.1) PHP versions, allowing an object injection attack to still be triggered.

To read the complete article see:

Critical Vulnerability Impacting Over 100K Sites Patched in Everest Forms Plugin