Skip to main content

Everest Forms CVE-2026-4888

| EUVDEUVD-2026-32678 MEDIUM
Missing Authorization (CWE-862)
2026-05-28 security@wordfence.com GHSA-c5fm-9qvp-83r3
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 00:26 vuln.today
CVE Published
May 28, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The Everest Forms - Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.

AnalysisAI

Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.

Technical ContextAI

The vulnerability resides in the class-evf-ajax.php AJAX handler of the Everest Forms plugin, specifically at line 1174 where the send_test_email() function is registered as an AJAX action accessible to authenticated WordPress users. CWE-862 (Missing Authorization) describes the root cause: the function executes the outbound email action without first verifying whether the requesting user holds the necessary WordPress capability (e.g., manage_options or a plugin-specific capability). WordPress plugins expose AJAX endpoints via wp_ajax_{action} hooks, which are accessible to any logged-in user unless the handler explicitly gates access via current_user_can(). The absence of that gate here means the authorization boundary is entirely absent. No CPE string was provided in the source data, but the affected component is definitively identified as the Everest Forms plugin by everestforms for WordPress, versions through 3.4.7, with source code publicly browsable on the WordPress Plugin Trac repository.

RemediationAI

No explicit patched version number is present in the available source data; the fix version must be confirmed via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8bced7df-3e1a-4d7b-9ad0-64be5e18900f or the official WordPress plugin repository changelog. Site administrators should update the Everest Forms plugin to the latest available version immediately and verify the changelog confirms the missing capability check is resolved. As a compensating control prior to patching, disabling open user registration (Settings > General > Membership in WordPress) removes the lowest-friction attack path by preventing anonymous actors from obtaining Subscriber accounts. Alternatively, a WAF rule blocking AJAX POST requests containing the send_test_email action parameter from non-administrator sessions can suppress exploitation without disabling the plugin entirely, though this may interfere with legitimate admin testing workflows. Monitoring SMTP or mail relay logs for unexpected volume spikes or unfamiliar recipient domains is advisable to detect any in-progress abuse.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy