Skip to main content

PHP CVE-2026-5478

| EUVDEUVD-2026-23941 HIGH
Path Traversal (CWE-22)
2026-04-20 Wordfence GHSA-xmpv-jqm7-jj2v
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 20:33 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 20:00 euvd
EUVD-2026-23941
Analysis Generated
Apr 20, 2026 - 20:00 vuln.today
CVE Published
Apr 20, 2026 - 19:27 nvd
HIGH 8.1

DescriptionCVE.org

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.

AnalysisAI

Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.

Technical ContextAI

Everest Forms is a WordPress form builder plugin with file/image upload capabilities. The vulnerability resides in class-evf-form-fields-upload.php where the plugin processes old_files parameters from form submissions. The code performs regex-based string replacement to convert attacker-supplied URLs into filesystem paths without invoking realpath() canonicalization or validating directory boundaries. CWE-22 (Path Traversal) occurs when untrusted input directly influences file operations. In this case, the plugin treats client-controlled old_files data as legitimate server-side upload state, allowing payloads like '../../../../wp-config.php' to traverse out of intended upload directories. The resolved paths are used in two critical operations: (1) attachment to notification emails, causing file disclosure, and (2) unlink() calls in cleanup routines, causing file deletion. The affected CPE cpe:2.3:a:wpeverest:everest_forms_-_contact_form,_payment_form,_quiz,_survey_&_custom_form_builder identifies the exact product. The vulnerability chain combines information disclosure with destructive file operations, transforming a typical path traversal into a critical compromise vector.

RemediationAI

Upgrade Everest Forms to version 3.4.5 or later, which addresses the path traversal vulnerability per changeset 3507814 visible at https://plugins.trac.wordpress.org/changeset/3507814/everest-forms. The patch implements proper path canonicalization and directory boundary validation in the file upload handler. Until patching, implement these compensating controls with noted trade-offs: (1) Disable file-upload and image-upload fields in all public forms-this eliminates the attack vector but removes upload functionality; (2) Enable 'Store Entry Information' option in all forms with upload fields-this prevents triggering the vulnerable code path but increases database storage requirements and may conflict with privacy requirements (GDPR/data minimization); (3) Implement Web Application Firewall (WAF) rules to block form submissions containing '../' or encoded path traversal sequences in old_files parameters-this adds defense-in-depth but may cause false positives with legitimate filenames containing dots; (4) Restrict WordPress file permissions to read-only for the web server user where possible-this prevents file deletion but may break legitimate plugin update/upload functionality. Review server logs for suspicious form submissions containing path traversal patterns in POST data. After upgrade, verify wp-config.php and other critical files remain intact, and rotate database credentials and WordPress salts if compromise is suspected.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-5478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy