Wpeverest Everest Forms

Everest Forms 3.4.7: Capability Check Missing, Allows Unauthorized Test Email
CVE-2026-4888 4.3 - Medium - May 27, 2026

The Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.

AuthZ

Everest Forms 3.4.4 Arbitrary File Read/Delete via old_files
CVE-2026-5478 8.1 - High - April 20, 2026

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.

Directory traversal

Everest Forms 3.4.3 PHP Object Injection via Untrusted Deserialization
CVE-2026-3296 9.8 - Critical - April 08, 2026

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.

Marshaling, Unmarshaling

Everest Forms Pro RCE via PHP Eval (<=1.9.12)
CVE-2026-3300 9.8 - Critical - March 31, 2026

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

Code Injection

Everest Forms Pro 1.9.10 XSS Vulnerability (Stored)
CVE-2026-27070 7.1 - High - March 19, 2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms Pro allows Stored XSS.This issue affects Everest Forms Pro: from n/a through 1.9.10.

XSS

XSS in Everest Forms 3.4.1 Script Injection Vulnerability
CVE-2026-22422 5.3 - Medium - February 19, 2026

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.

Basic XSS

PHP Object Injection in Everest Forms (Pro) <=1.9.7 via mime_content_type()
CVE-2025-8871 5.6 - Medium - November 05, 2025

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability is only exploitable in PHP versions prior to 8.

Marshaling, Unmarshaling

WordPress Everest Forms <=1.0.5 Deserialization Object Injection
CVE-2025-60210 9.8 - Critical - October 22, 2025

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms - Frontend Listing: from n/a through <= 1.0.5.

Marshaling, Unmarshaling

Everest Forms <3.2.2: Deserialization & Object Injection Vulnerability
CVE-2025-52709 - June 27, 2025

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2.

Marshaling, Unmarshaling

Everest Forms (Pro) <=1.9.4: Arbitrary File Deletion via delete_entry_files()
CVE-2025-5927 7.5 - High - June 25, 2025

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.

Absolute Path Traversal

Everest Forms WP Plugin XSS before 3.0.3.1
CVE-2024-8542 - May 15, 2025

The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS

XSS via File Upload in WPEVEREST Everest Forms Before 3.0.9
CVE-2025-26841 - May 12, 2025

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.

XSS in Everest Forms <=3.1.1 via form_id param
CVE-2025-3421 6.1 - Medium - April 11, 2025

The Everest Forms Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WordPress Everest Forms <=3.1.1 Shortcode Injection via Unvalidated Input
CVE-2025-3422 6.3 - Medium - April 11, 2025

The The Everest Forms Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Code Injection

PHP Object Injection in Everest Forms <=3.1.1 via field_value (WordPress)
CVE-2025-3439 9.8 - Critical - April 11, 2025

The Everest Forms Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Marshaling, Unmarshaling

Everest Forms WP <3.0.9.4: Arbitrary File Upload via format()
CVE-2025-1128 9.8 - Critical - February 25, 2025

The Everest Forms Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

Unrestricted File Upload

Everest Forms WP Plugin <3.0.8.1 Stored XSS in settings
CVE-2024-13125 - February 13, 2025

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS

Everest Forms WP Plugin <3.0.4.2: Stored XSS via Unsanitized Settings
CVE-2024-10471 - November 26, 2024

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS

Missing Auth Vulnerability in Everest Forms <= 2.0.3
CVE-2023-51377 5.3 - Medium - June 14, 2024

Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.

AuthZ

SSRF in Everest Forms <=2.0.7 via font_url param
CVE-2024-1812 7.2 - High - April 09, 2024

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

SSRF

Everest Forms 2.0.4.1 Stored XSS via Improper Input Neutralization
CVE-2023-51695 4.8 - Medium - February 01, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1.

XSS

The Contact Form
CVE-2021-24907 6.1 - Medium - December 21, 2021

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

XSS

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9
CVE-2019-13575 - July 18, 2019

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php