Skip to main content

WPEverest Everest Forms Pro CVE-2026-27070

| EUVDEUVD-2026-13091 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 09:22 euvd
EUVD-2026-13091
Analysis Generated
Mar 19, 2026 - 09:22 vuln.today
CVE Published
Mar 19, 2026 - 09:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms Pro allows Stored XSS.This issue affects Everest Forms Pro: from n/a through 1.9.10.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in the Everest Forms Pro WordPress plugin that allows attackers to inject malicious scripts into web pages. The plugin versions through 1.9.10 are affected, and the vulnerability can be exploited over the network with low attack complexity requiring no privileges but user interaction. With a CVSS score of 7.1 and reported by Patchstack audit team, this represents a moderate-to-high severity issue with scope change indicating potential impact beyond the vulnerable component.

Technical ContextAI

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically manifesting as a stored XSS flaw. The Everest Forms Pro plugin for WordPress fails to properly sanitize and encode user-supplied input before rendering it in web pages, allowing attackers to inject JavaScript or HTML that persists in the application database. The CVSS vector indicates network-based exploitation (AV:N) with changed scope (S:C), meaning the vulnerable component and impacted component are different, typical of XSS where the attacker compromises one user's session to affect others. The affected software is a premium WordPress form builder plugin developed by WPEverest, used for creating contact forms, surveys, and other data collection interfaces on WordPress sites.

RemediationAI

Administrators should immediately upgrade Everest Forms Pro to a version newer than 1.9.10, checking the WPEverest website or WordPress dashboard for the latest patched release. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/everest-forms-pro/vulnerability/wordpress-everest-forms-pro-plugin-1-9-10-cross-site-scripting-xss-vulnerability for specific patch details and version information. Until patching is completed, consider temporarily disabling the Everest Forms Pro plugin if it is not business-critical, or restrict access to form creation and editing capabilities to only highly trusted administrators. Implement Content Security Policy (CSP) headers on the WordPress site to mitigate XSS impact by restricting script execution to trusted sources. Review existing form submissions and stored data for any suspicious JavaScript or HTML content that may have been injected prior to patching.

Share

CVE-2026-27070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy