Description
The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.
Published: 2026-04-20
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: Arbitrary file read and deletion leading to full site compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the Everest Forms WordPress plugin misinterpreting the ‘old_files’ field submitted by users. By injecting a path‑traversal string into that parameter, an unauthenticated attacker can cause the plugin to convert the payload into a local filesystem path and attach the file to outgoing emails or delete it during cleanup. The flaw is a classic directory traversal (CWE‑22) that permits reading critical files such as wp‑config.php and deleting any file the web server can reach, which can undo authentication keys, override core files, or disable the site. This can result in complete compromise of the WordPress installation, data loss, or denial of service.

Affected Systems

The issue affects the Everest Forms plugin from wpeverest, in all releases up to and including 3.4.4. WordPress sites that install any of those versions and use a form containing a file‑upload or image‑upload field, with the option to store entry information enabled, are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. No EPSS metric is available, but the lack of an EPSS rating suggests the exploitation likelihood is not quantified. The vulnerability is not listed in the CISA KEV catalog, and no publicly available proof‑of‑concept code is cited. The attack vector is inferred to be unauthenticated remote: any entity can submit a crafted form submission to trigger the file read or delete action. Because the flaw occurs before the form data is processed for permanent storage, an attacker can replay the request multiple times or target different files until a vulnerability is exposed. The overall risk is significant, especially for sites that rely on Everest Forms for file uploads.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Everest Forms plugin to version 3.4.5 or later, where the old_files parameter is properly validated.
  • If an upgrade cannot be performed immediately, disable the “Store Entry Information” setting in the form configuration and remove any file‑upload or image‑upload fields from public forms to block the attack surface.
  • Alternatively, block the old_files parameter in the form by sanitizing input to allow only safe paths or configure WordPress to deny directory traversal in uploaded fields, though this is a temporary measure until a patch is available.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.
Title Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-20T19:27:08.159Z

Reserved: 2026-04-03T08:11:50.519Z

Link: CVE-2026-5478

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T20:16:48.800

Modified: 2026-04-20T20:16:48.800

Link: CVE-2026-5478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses