Description
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Script Execution via XSS in Everest Forms
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic cross‑site scripting flaw that allows an attacker to inject malicious JavaScript into pages rendered by the Everest Forms plugin. This flaw arises from the plugin’s failure to properly neutralize script‑related HTML tags, enabling arbitrary code execution within a victim’s browser session. The impact could include credential theft, defacement, or further exploitation of the site.

Affected Systems

Vendors: wpeverest; Product: Everest Forms; Affected versions: all releases up to and including 3.4.1.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Attackers would most likely exploit this via crafted content that triggers the vulnerable shortcode, requiring access to a location where the plugin processes user‑generated input. Given the moderate severity and low exploitation probability, the risk is low to moderate but warrants patching to prevent potential abuse.

Generated by OpenCVE AI on April 16, 2026 at 06:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Everest Forms plugin to version 3.4.2 or later.
  • If an update is not immediately possible, disable or remove the shortcode functionality or sanitize input to eliminate script tags.
  • Audit the website for any injected malicious code and remove it after remediation.

Generated by OpenCVE AI on April 16, 2026 at 06:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
Title WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability
Weaknesses CWE-80
References

Subscriptions

Wordpress Wordpress
Wpeverest Everest Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:08:36.498Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22422

cve-icon Vulnrichment

Updated: 2026-02-20T17:22:27.636Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:11.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses