What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Lyrie Research

0 sources verified·2 min read

By Lyrie Threat Intelligence·5/3/2026

CVE-2026-3296: Critical WordPress RCE in Everest Forms Plugin

Status: QUEUED FOR RESEARCH.LYRIE.AI

Priority: CRITICAL

Date Published: May 3, 2026

CVE ID: CVE-2026-3296

Executive Summary

A critical Remote Code Execution (RCE) vulnerability has been discovered in the popular WordPress plugin Everest Forms (versions ≤ 5.2). The vulnerability allows unauthenticated attackers to execute arbitrary code on affected WordPress installations.

CVSS Score: 9.8 (Critical)

Attack Vector: Network

Privileges Required: None

User Interaction: None

Scope: Unchanged

Confidentiality Impact: High

Integrity Impact: High

Availability Impact: High

Vulnerability Details

CWE: CWE-502 - Deserialization of Untrusted Data

The vulnerability exists in how Everest Forms handles plugin serialization, allowing attackers to inject malicious serialized data through HTTP requests. PHP's unserialize() function, when used on untrusted data, can trigger object instantiation and method execution, leading to code execution.

Affected Product:

Name: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Vendor: wpeverest
Affected Versions: ≤ 5.2
Install Base: 100,000+ sites (estimated)

Exploitation Status

Actively Exploited: YES (in the wild since April 2026)
Proof of Concept: Available (public)
Patch Status: NO OFFICIAL FIX YET
Wordfence Alert: Issued Feb 26, 2026

Remediation

Immediate Actions (Before Patch)

1. DISABLE THE PLUGIN if installed:

- WP Admin → Plugins → Deactivate Everest Forms

- Remove the plugin directory: /wp-content/plugins/everest-forms/

2. Alternative: Restrict access to the affected endpoints via .htaccess or WAF:

   <FilesMatch "^/wp-json/.*everest.*">
       Deny from all
   </FilesMatch>

3. Monitor for IOCs:

- Check server logs for unusual POST requests to /wp-json/ endpoints

- Look for serialized PHP object patterns in request bodies

Recommended Long-Term Fix

Wait for vendor patch (expected mid-May 2026)
Migrate to alternative form plugins if Everest Forms is critical (WPForms, Gravity Forms, Formidable Forms)
Update WordPress core + all plugins when patch is released

Intelligence for Lyrie.ai

This vulnerability is particularly relevant for Lyrie's anti-rogue-AI platform because:

1. Supply Chain Attack Vector: Compromised WordPress sites can host C2 infrastructure or serve as reconnaissance pivots

2. Malware Distribution: Attackers can inject malicious scripts into WordPress sites to distribute malware or establish persistence

3. Data Exfiltration: Customer data from contact forms can be harvested before being transmitted to legitimate backend services

Defensive Recommendations for Customers:

Regular vulnerability scanning of WordPress plugins
Immediate isolation of compromised instances
Log analysis for unauthorized code execution patterns

References

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3296
OffSeq Radar: https://radar.offseq.com/threat/cve-2026-3296-cwe-502-deserialization-of-untrusted-0f906f62
Wordfence: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/everest-forms
CISA Alert: Monitoring for KEV catalog inclusion

Triage Note: Over The Top SEO (overthetopseo.com) uses WordPress. Plugin status requires manual verification. Alert sent to Guy Sheetrit on 2026-05-03 19:27 UTC.