Description
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Published: 2025-02-25
Score: 9.8 Critical
EPSS: 11.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Everest Forms plugin for WordPress contains a flaw in the EVF_Form_Fields_Upload class that allows unauthenticated users to upload, read, and delete arbitrary files on the server. The lack of file type and path validation permits attackers to place malicious scripts or other files, which can lead to remote code execution, data theft, or a full site takeover. This weakness is classified as CWE-434.

Affected Systems

WordPress sites running the Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin, versions 3.0.9.4 and earlier, should be considered vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8 and an EPSS score of 11%, indicating that it is both severe and currently considered likely to be exploited. It is not listed in the CISA KEV catalog. Attackers can target the exposed upload endpoint without authentication, making exploitation straightforward over the web.

Generated by OpenCVE AI on May 21, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Everest Forms plugin to the latest release that includes the missing file validation fix.
  • Configure form settings to limit or remove file upload fields for public or untrusted users.
  • Deploy WAF rules or server-side checks to reject uploads of disallowed file types and enforce strict MIME type validation.

Generated by OpenCVE AI on May 21, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5070 The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
History

Tue, 25 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Title Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:56.141Z

Reserved: 2025-02-07T22:28:03.463Z

Link: CVE-2025-1128

cve-icon Vulnrichment

Updated: 2025-02-25T14:33:21.972Z

cve-icon NVD

Status : Received

Published: 2025-02-25T07:15:18.480

Modified: 2025-02-25T07:15:18.480

Link: CVE-2025-1128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:00:11Z

Weaknesses