Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.
AnalysisAI
Path traversal in Everest Forms (WordPress plugin) allows unauthenticated attackers to read and delete arbitrary files on the server through malicious form submissions containing crafted old_files parameters. Vulnerable versions ≤3.4.4 use regex-based path resolution without canonicalization, enabling attackers to traverse directories, exfiltrate wp-config.php via email attachments (exposing database credentials and authentication salts), and trigger automatic deletion of targeted files post-email. CVSS 8.1 (AV:N/AC:H) reflects the remote vector with high attack complexity. EPSS and KEV status not provided; proof-of-concept details available in Wordfence advisory and plugin source code references.
Technical ContextAI
Everest Forms is a WordPress form builder plugin with file/image upload capabilities. The vulnerability resides in class-evf-form-fields-upload.php where the plugin processes old_files parameters from form submissions. The code performs regex-based string replacement to convert attacker-supplied URLs into filesystem paths without invoking realpath() canonicalization or validating directory boundaries. CWE-22 (Path Traversal) occurs when untrusted input directly influences file operations. In this case, the plugin treats client-controlled old_files data as legitimate server-side upload state, allowing payloads like '../../../../wp-config.php' to traverse out of intended upload directories. The resolved paths are used in two critical operations: (1) attachment to notification emails, causing file disclosure, and (2) unlink() calls in cleanup routines, causing file deletion. The affected CPE cpe:2.3:a:wpeverest:everest_forms_-_contact_form,_payment_form,_quiz,_survey_&_custom_form_builder identifies the exact product. The vulnerability chain combines information disclosure with destructive file operations, transforming a typical path traversal into a critical compromise vector.
RemediationAI
Upgrade Everest Forms to version 3.4.5 or later, which addresses the path traversal vulnerability per changeset 3507814 visible at https://plugins.trac.wordpress.org/changeset/3507814/everest-forms. The patch implements proper path canonicalization and directory boundary validation in the file upload handler. Until patching, implement these compensating controls with noted trade-offs: (1) Disable file-upload and image-upload fields in all public forms-this eliminates the attack vector but removes upload functionality; (2) Enable 'Store Entry Information' option in all forms with upload fields-this prevents triggering the vulnerable code path but increases database storage requirements and may conflict with privacy requirements (GDPR/data minimization); (3) Implement Web Application Firewall (WAF) rules to block form submissions containing '../' or encoded path traversal sequences in old_files parameters-this adds defense-in-depth but may cause false positives with legitimate filenames containing dots; (4) Restrict WordPress file permissions to read-only for the web server user where possible-this prevents file deletion but may break legitimate plugin update/upload functionality. Review server logs for suspicious form submissions containing path traversal patterns in POST data. After upgrade, verify wp-config.php and other critical files remain intact, and rotate database credentials and WordPress salts if compromise is suspected.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23941
GHSA-xmpv-jqm7-jj2v