CVE-2025-5927

| EUVD-2025-19094 HIGH
2025-06-25 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19094
CVE Published
Jun 25, 2025 - 10:15 nvd
HIGH 7.5

Tags

RCE PHP WordPress Everest Forms

Description

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.

Analysis

The Everest Forms (Pro) WordPress plugin versions up to 1.9.4 contain an arbitrary file deletion vulnerability in the delete_entry_files() function due to insufficient path validation (CWE-36). Unauthenticated attackers can delete arbitrary files on the server by tricking an administrator into deleting a form entry, potentially leading to remote code execution through deletion of critical files like wp-config.php. This is a high-severity vulnerability (CVSS 7.5) that requires social engineering or admin interaction but can completely compromise WordPress installations.

Technical Context

The vulnerability exists in the Everest Forms plugin for WordPress, affecting the form entry deletion functionality. The root cause is CWE-36 (Absolute Path Traversal), which allows attackers to manipulate file paths without proper validation. The delete_entry_files() function fails to sanitize or validate file paths before deletion, enabling path traversal attacks. This is a classic file operation security flaw common in web applications that handle file management without strict input validation. The WordPress plugin architecture makes this particularly dangerous as plugins operate with WordPress core privileges, and deletion of wp-config.php would immediately disable the entire WordPress installation.

Affected Products

Everest Forms (Pro) plugin for WordPress, all versions up to and including 1.9.4. The vulnerability affects both free and Pro editions of the plugin. CPE identification would be: cpe:2.3:a:wpeverest:everest_forms:*:*:*:*:*:wordpress:*:* with version range <=1.9.4. Affected WordPress installations running Everest Forms on any supported WordPress version are in scope, as the vulnerability exists in the plugin's core file deletion logic regardless of WordPress version.

Remediation

Users should immediately update Everest Forms to a version greater than 1.9.4 once available from the plugin vendor (WP Everest). The patch should include proper file path validation and sanitization in the delete_entry_files() function. Interim workarounds prior to patch availability include: (1) Restrict file deletion permissions by disabling entry deletion features if not critical to operations, (2) Implement WordPress user role restrictions to limit which administrators can delete form entries, (3) Apply Web Application Firewall (WAF) rules to detect path traversal patterns in form entry deletion requests, (4) Monitor file system access logs for unexpected deletions of critical files. Recommendation: Update to patched version 1.9.5 or later as soon as released; verify patch availability on the official Everest Forms repository or vendor advisory page.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.9
CVSS: +38
POC: 0

Share

CVE-2025-5927 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy