Everest Forms PHP Object Injection Vulnerability

A vulnerability allowing PHP object injection has been identified in the Everest Forms plugin for WordPress, affecting all versions through 3.4.3. The issue arises from the plugin's 'html-admin-page-entries-view.php' file, which deserializes untrusted input from form entry metadata using PHP's native 'unserialize()' function. This deserialization occurs without proper safeguards, allowing unauthenticated attackers to inject serialized PHP object payloads through public form fields. The injected payloads bypass 'sanitize_text_field()' sanitization, as serialization control characters are not removed, and are stored in the 'wp_evf_entrymeta' database table. When an administrator accesses the entries, the deserialized data is processed without any class restrictions, potentially leading to malicious object injection exploitation.

Impact

Exploitation of this vulnerability allows for unauthenticated PHP object injection, which can be leveraged to execute arbitrary PHP code or manipulate the application in unintended ways.

Reproduction

To reproduce this vulnerability, an unauthenticated user can inject a serialized PHP object payload through any public Everest Forms form field. The payload will be stored in the 'wp_evf_entrymeta' database table. When an administrator views the entries, the injected payload will be deserialized by the 'unserialize()' function without any class restrictions, allowing for potential exploitation.

Remediation

Users are advised to update the Everest Forms plugin to version 3.4.4 or later, where this vulnerability has been patched.