The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable due to a missing capability check in the send_test_email() function in all releases up to and including 3.4.7. This flaw allows a user with Subscriber-level access or higher to invoke the test email feature and send messages to arbitrary recipients from the site’s mail server, effectively giving authenticated attackers a way to abuse the plugin’s email system.

Any WordPress website running the Everest Forms plugin version 3.4.7 or earlier is affected. The vulnerability specifically targets the Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder product. No other plugins or versions are known to be impacted according to the CNA data provided.

The CVSS score of 4.3 indicates moderate impact; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no current widespread exploitation reports. The likely attack path requires the attacker to be logged in with Subscriber or higher capability, after which they can trigger the send_test_email endpoint to send arbitrary emails. With this capability, an attacker could spam recipients, facilitate phishing, or carry out social‑engineering campaigns from the compromised server. Though the opportunity for exploitation exists, the lack of a publicly known exploit and the requirement for authenticated access moderate the overall risk to the environment.