Description
The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.
Published: 2025-06-25
Score: 7.5 High
EPSS: 1.8% Low
KEV: No
Impact: Remote File Deletion with Potential Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The Everest Forms (Pro) plugin contains an insufficient file path validation flaw in the delete_entry_files() function, classified as CWE‑36. This flaw allows an attacker to specify malicious file paths when triggering the entry‑deletion process, resulting in the deletion of arbitrary files on the server. If critical files such as wp‑config.php are removed, the removal can lead to immediate remote code execution or other severe compromise of the WordPress installation.

Affected Systems

The vulnerability affects the WPEverest Everest Forms Pro plugin for WordPress. All released versions up to and including 1.9.4 are susceptible. The affected product is listed under the vendor WPEverest and the product name Everest Forms Pro.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the EPSS score of 2% indicates a low current exploit probability. The weakness is not currently listed in CISA’s KEV catalog. Attackers can attempt to exploit the vulnerability by sending crafted deletion requests; however, the deletion action must be initiated by an authenticated administrator deleting a form entry, so the exploitation path requires both unauthenticated manipulation and an admin trigger. From the available data, the threat is considered high severity but with a low likelihood of active exploitation in the present environment.

Generated by OpenCVE AI on April 22, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Everest Forms Pro to the latest available version, which addresses the path validation flaw.
  • Restrict the delete_entry_files endpoint to only allow authenticated users with the Administrator role and require confirmation before file deletion is executed.
  • Deploy a web application firewall rule to block requests containing path traversal sequences against the delete_entry_files endpoint and monitor for abnormal delete activity.

Generated by OpenCVE AI on April 22, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19094 The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.
History

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpeverest
Wpeverest everest Forms
CPEs cpe:2.3:a:wpeverest:everest_forms:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpeverest
Wpeverest everest Forms

Wed, 25 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.
Title Everest Forms (Pro) <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wpeverest Everest Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:44.649Z

Reserved: 2025-06-09T14:37:01.886Z

Link: CVE-2025-5927

cve-icon Vulnrichment

Updated: 2025-06-25T13:37:18.301Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-25T10:15:23.090

Modified: 2025-07-08T14:54:00.810

Link: CVE-2025-5927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses