Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Everest Forms - Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
AnalysisAI
Unauthorized email sending in the Everest Forms WordPress plugin (all versions up to and including 3.4.7) permits any authenticated attacker with Subscriber-level access or higher to dispatch test emails to arbitrary external addresses from the hosting server. The root cause is a missing capability check on the AJAX-exposed send_test_email() function (CWE-862), enabling low-privilege users to invoke a privileged server action without authorization. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, though the low barrier of entry (any registered user) elevates practical risk on sites with open registration.
Technical ContextAI
The vulnerability resides in the class-evf-ajax.php AJAX handler of the Everest Forms plugin, specifically at line 1174 where the send_test_email() function is registered as an AJAX action accessible to authenticated WordPress users. CWE-862 (Missing Authorization) describes the root cause: the function executes the outbound email action without first verifying whether the requesting user holds the necessary WordPress capability (e.g., manage_options or a plugin-specific capability). WordPress plugins expose AJAX endpoints via wp_ajax_{action} hooks, which are accessible to any logged-in user unless the handler explicitly gates access via current_user_can(). The absence of that gate here means the authorization boundary is entirely absent. No CPE string was provided in the source data, but the affected component is definitively identified as the Everest Forms plugin by everestforms for WordPress, versions through 3.4.7, with source code publicly browsable on the WordPress Plugin Trac repository.
RemediationAI
No explicit patched version number is present in the available source data; the fix version must be confirmed via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8bced7df-3e1a-4d7b-9ad0-64be5e18900f or the official WordPress plugin repository changelog. Site administrators should update the Everest Forms plugin to the latest available version immediately and verify the changelog confirms the missing capability check is resolved. As a compensating control prior to patching, disabling open user registration (Settings > General > Membership in WordPress) removes the lowest-friction attack path by preventing anonymous actors from obtaining Subscriber accounts. Alternatively, a WAF rule blocking AJAX POST requests containing the send_test_email action parameter from non-administrator sessions can suppress exploitation without disabling the plugin entirely, though this may interfere with legitimate admin testing workflows. Monitoring SMTP or mail relay logs for unexpected volume spikes or unfamiliar recipient domains is advisable to detect any in-progress abuse.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32678
GHSA-c5fm-9qvp-83r3