Description
The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-04-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw exposed through the 'form_id' query parameter in the Everest Forms WordPress plugin. Unsanitized input can be echoed back to the browser, enabling an unauthenticated attacker to inject arbitrary JavaScript that executes when a user views the reflected form. This allows theft of session data, credential hijacking, or malicious content delivery, directly compromising the confidentiality and integrity of end‑user browsers.

Affected Systems

The flaw affects every installation of the Everest Forms plugin for WordPress version 3.1.1 and older. Users who have not upgraded past 3.1.1 are vulnerable irrespective of site role or authentication status. Native WordPress environments that host the plugin remain at risk until the upgrade is performed.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity, yet the EPSS score of less than 1% suggests a low exploitation probability at present. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the issue by crafting a malicious URL containing a forged 'form_id' value and luring a visitor to click the link, which causes the injected script to run in the victim’s browser.

Generated by OpenCVE AI on April 21, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Everest Forms plugin to version 3.1.2 or newer, which includes the input sanitization fix for the 'form_id' parameter.
  • If an upgrade cannot be performed immediately, block or strip the 'form_id' query parameter in your web application firewall or via WordPress settings to prevent the reflected payload.
  • Enhance your site’s security by enabling Wordfence or a similar Web Application Firewall and configuring it to detect and reject JavaScript payloads in URL query strings, specifically targeting the 'form_id' parameter.

Generated by OpenCVE AI on April 21, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10801 The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 23 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpeverest
Wpeverest everest Forms
CPEs cpe:2.3:a:wpeverest:everest_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpeverest
Wpeverest everest Forms

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 13:00:00 +0000

Type Values Removed Values Added
Description The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wpeverest Everest Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:06.456Z

Reserved: 2025-04-07T14:54:40.713Z

Link: CVE-2025-3421

cve-icon Vulnrichment

Updated: 2025-04-11T13:16:43.660Z

cve-icon NVD

Status : Modified

Published: 2025-04-11T13:15:40.800

Modified: 2026-04-08T19:24:01.657

Link: CVE-2025-3421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses