Skip to main content

Everest Forms CVE-2024-10471

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-11-26 contact@wpscan.com
4.8
CVSS 3.1 · Vendor: wpscan
Share

Severity by source

Vendor (wpscan) PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (wpscan) · only source for this CVE.

CVSS VectorVendor: wpscan

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 26, 2024 - 06:15 cve.org
MEDIUM 4.8

DescriptionCVE.org

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

AnalysisAI

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Affected products include: Wpeverest Everest Forms. Version information: before 3.0.4.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2026-11571 HIGH POC
7.5 Jul 09

Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to dow

CVE-2025-1128 CRITICAL
9.8 Feb 25

The Everest Forms - Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is

CVE-2025-3439 CRITICAL
9.8 Apr 11

The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is

CVE-2026-12270 MEDIUM POC
6.5 Jul 09

Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin

CVE-2021-24907 MEDIUM POC
6.1 Dec 21

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter befo

CVE-2019-13575 CRITICAL
9.8 Jul 18

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Rated critical sever

CVE-2025-5927 HIGH
7.5 Jun 25

The Everest Forms (Pro) WordPress plugin versions up to 1.9.4 contain an arbitrary file deletion vulnerability in the de

CVE-2024-13125 LOW POC
3.5 Feb 13

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow h

CVE-2024-1812 HIGH
7.2 Apr 09

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including

CVE-2025-26841 MEDIUM
6.1 May 12

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code

CVE-2023-51695 MEDIUM
5.9 Feb 01

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest

CVE-2025-3422 MEDIUM
5.4 Apr 11

The The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress

Share

CVE-2024-10471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy