LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-3296

CVE-2026-3296 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 8, 2026

Everest Forms WordPress Plugin - Authentication Bypass

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

Everest Forms WordPress plugin <= 3.4.3 contains a PHP Object Injection caused by unsafe unserialize() of form entry metadata in html-admin-page-entries-view.php, letting unauthenticated attackers execute arbitrary code, exploit requires administrator to view entries.

Severity & Score

Severity: Critical
CVSS Score: 9.8

Impact

Unauthenticated attackers can execute arbitrary PHP code when an administrator views malicious form entries, potentially leading to full site compromise.

Mitigation

Update to the latest version beyond 3.4.3.

References

Related Resources

Details

CVE ID
CVE-2026-3296
Severity
Critical
CVSS Score
9.8
Type
insecure_deserialization
Status
new

CWE

  • CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H