CVE-2025-8871Deserialization of Untrusted Data in Everest Forms PRO

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
5.6MEDIUMNVD
EPSS
0.2%
top 53.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpeverest Everest Forms PRO
Timeline
PublishedNov 5

Description

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerab

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.2 | Impact: 3.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-6wgh-rvcx-89g9: The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12025-11-05
CVEList
Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature2025-11-05
CVE-2025-8871 — Deserialization of Untrusted Data | cvebase