CVE-2026-3296 is a critical PHP object injection vulnerability (CVSS 9.8) in the Everest Forms WordPress plugin, affecting all versions up to and including 3.4.3. An unauthenticated attacker can inject serialized PHP payloads through public-facing contact forms; the payload executes when an administrator views form submissions, creating a two-stage stored attack chain that can result in remote code execution. CISA KEV listed and confirmed actively exploited.