The Everest Forms Pro plugin for WordPress versions up to 1.9.7 is vulnerable to PHP Object Injection due to unsafe deserialization of untrusted data in the mime_content_type() function. This vulnerability allows unauthenticated attackers to inject PHP objects when a form includes a non-required signature field alongside an image upload field. Exploitation is only possible on PHP versions prior to 8 and requires the presence of a POP chain gadget in other installed plugins or themes to achieve meaningful impact such as arbitrary file deletion, sensitive data retrieval, or code execution. No POP chain is present in Everest Forms Pro itself, limiting the vulnerability's standalone impact.

The vulnerability has a CVSS score of 5.6 (medium severity) with network attack vector, high attack complexity, no privileges required, and no user interaction needed. Impact includes limited confidentiality, integrity, and availability loss if a POP chain gadget is present in other installed components. Without such a POP chain, the vulnerability cannot be exploited to cause harm. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor WPEverest advisories for updates. Mitigation includes upgrading PHP to version 8 or later, which prevents exploitation. Additionally, review installed plugins and themes for potential POP chain gadgets that could be leveraged in conjunction with this vulnerability.