Description
Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Untainted user input is reflected by Everest Forms versions up to 3.4.8, allowing an attacker to inject arbitrary JavaScript into the rendered page. The flaw falls under CWE-79 and could be used to hijack user sessions or deliver malware through the site.

Affected Systems

The vulnerability affects WordPress sites that use the Everest Forms plugin version 3.4.8 or earlier. The impact is confined to sites where the plugin is active and publicly accessible.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, though the EPSS score is unavailable and the vulnerability is not yet in the KEV catalog. Because it is unauthenticated and reflected, an attacker can exploit it simply by crafting a URL or form input, making it straightforward for a malicious actor to inject code into the visitor's browser.

Generated by OpenCVE AI on June 26, 2026 at 17:06 UTC.

Remediation

Vendor Solution

Update the WordPress Everest Forms Plugin to the latest available version (at least 3.5.0).

OpenCVE Recommended Actions

  • Update the Everest Forms plugin to version 3.5.0 or later.
  • If an update is not immediately possible, remove or disable the plugin until a patch is applied.
  • As a temporary countermeasure, consider applying a strict Content Security Policy to restrict untrusted script execution and avoid rendering user input without escaping.

Generated by OpenCVE AI on June 26, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms
Vendors & Products Wordpress
Wordpress wordpress
Wpeverest
Wpeverest everest Forms

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions.
Title WordPress Everest Forms plugin <= 3.4.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpeverest Everest Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:33:29.091Z

Reserved: 2026-06-24T12:44:58.566Z

Link: CVE-2026-57312

cve-icon Vulnrichment

Updated: 2026-06-26T15:33:24.201Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:15:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')