Skip to main content

Everest Forms CVE-2025-3422

MEDIUM
Code Injection (CWE-94)
2025-04-11 security@wordfence.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:36 vuln.today
Patch released
Mar 28, 2026 - 18:36 nvd
Patch available
CVE Published
Apr 11, 2025 - 13:15 nvd
MEDIUM 5.4

DescriptionCVE.org

The The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

AnalysisAI

The The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. The The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. Affected products include: Wpeverest Everest Forms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2026-11571 HIGH POC
7.5 Jul 09

Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to dow

CVE-2025-1128 CRITICAL
9.8 Feb 25

The Everest Forms - Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is

CVE-2025-3439 CRITICAL
9.8 Apr 11

The Everest Forms - Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is

CVE-2026-12270 MEDIUM POC
6.5 Jul 09

Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin

CVE-2021-24907 MEDIUM POC
6.1 Dec 21

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter befo

CVE-2019-13575 CRITICAL
9.8 Jul 18

A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Rated critical sever

CVE-2024-10471 MEDIUM POC
4.8 Nov 26

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow h

CVE-2025-5927 HIGH
7.5 Jun 25

The Everest Forms (Pro) WordPress plugin versions up to 1.9.4 contain an arbitrary file deletion vulnerability in the de

CVE-2024-13125 LOW POC
3.5 Feb 13

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow h

CVE-2024-1812 HIGH
7.2 Apr 09

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including

CVE-2025-26841 MEDIUM
6.1 May 12

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code

CVE-2023-51695 MEDIUM
5.9 Feb 01

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest

Share

CVE-2025-3422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy