What is the CVSS score of CVE-2025-5927?

CVE-2025-5927 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.9%.

Which versions of PHP are affected by CVE-2025-5927?

Everest Forms Pro plugin contains a critical file deletion vulnerability that could enable attackers to destroy website files or achieve remote code execution if an administrator performs routine…

How to fix or mitigate CVE-2025-5927?

Within 24 hours: Audit all Everest Forms Pro installations and document versions in use; disable the plugin on non-critical environments. Within 7 days: Implement WAF rules to block suspicious file deletion requests to the plugin's vulnerable endpoint; restrict admin access to trusted networks only; enable comprehensive logging of form entry deletion activities. Within 30 days: Monitor vendor communications for patch release; prepare rollback plan; consider migrating to alternative form plugins if patch timeline extends beyond 60 days.

PHP CVE-2025-5927

EUVD-2025-19094 HIGH

Absolute Path Traversal (CWE-36)

2025-06-25 security@wordfence.com

PHP WordPress RCE Everest Forms

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19094

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 10:15 nvd

HIGH 7.5

DescriptionNVD

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.

AnalysisAI

The Everest Forms (Pro) WordPress plugin versions up to 1.9.4 contain an arbitrary file deletion vulnerability in the delete_entry_files() function due to insufficient path validation (CWE-36). Unauthenticated attackers can delete arbitrary files on the server by tricking an administrator into deleting a form entry, potentially leading to remote code execution through deletion of critical files like wp-config.php. This is a high-severity vulnerability (CVSS 7.5) that requires social engineering or admin interaction but can completely compromise WordPress installations.

Technical ContextAI

The vulnerability exists in the Everest Forms plugin for WordPress, affecting the form entry deletion functionality. The root cause is CWE-36 (Absolute Path Traversal), which allows attackers to manipulate file paths without proper validation. The delete_entry_files() function fails to sanitize or validate file paths before deletion, enabling path traversal attacks. This is a classic file operation security flaw common in web applications that handle file management without strict input validation. The WordPress plugin architecture makes this particularly dangerous as plugins operate with WordPress core privileges, and deletion of wp-config.php would immediately disable the entire WordPress installation.

RemediationAI

Users should immediately update Everest Forms to a version greater than 1.9.4 once available from the plugin vendor (WP Everest). The patch should include proper file path validation and sanitization in the delete_entry_files() function. Interim workarounds prior to patch availability include: (1) Restrict file deletion permissions by disabling entry deletion features if not critical to operations, (2) Implement WordPress user role restrictions to limit which administrators can delete form entries, (3) Apply Web Application Firewall (WAF) rules to detect path traversal patterns in form entry deletion requests, (4) Monitor file system access logs for unexpected deletions of critical files. Recommendation: Update to patched version 1.9.5 or later as soon as released; verify patch availability on the official Everest Forms repository or vendor advisory page.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH This Week

8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

CVE-2025-5927 vulnerability details – vuln.today

Back

PHP CVE-2025-5927

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code