Skip to main content

Everest Forms EUVDEUVD-2026-39725

| CVE-2026-57312 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-j2w9-xgpf-ccm7
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Network-reachable reflected XSS, no auth, but requires a victim click (UI:R); scope changes into the browser context (S:C) with low confidentiality/integrity impact and no genuine availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:55 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions.

AnalysisAI

Reflected cross-site scripting in the Everest Forms WordPress plugin (versions 3.4.8 and earlier) lets an unauthenticated attacker craft a malicious link that, when opened by a victim, executes arbitrary JavaScript in the victim's browser under the affected site's origin. The CVSS:3.1 base score is 7.1 (scope-changed, low impact across C/I/A) and exploitation requires victim user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft link with XSS payload
Delivery
Lure victim to click (phishing/social)
Exploit
Payload reflected by Everest Forms unsanitized
Execution
Script executes in victim browser at site origin
Impact
Steal session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require victim user interaction (UI:R) - a target must open an attacker-crafted link/request that reflects the malicious payload through Everest Forms on a site running version 3.4.8 or earlier with the plugin installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially complete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site embedding a script payload in a parameter that Everest Forms reflects, then distributes it via phishing, comments, or social media. When a logged-in administrator or visitor clicks the link, the script runs in their browser under the site's origin, enabling session/cookie theft, forced admin actions, or content manipulation. …
Remediation Upgrade Everest Forms to a fixed release newer than 3.4.8 once published by the vendor; the input data does not include a confirmed fixed version, so verify the exact patched version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/everest-forms/vulnerability/wordpress-everest-forms-plugin-3-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress.org plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable Everest Forms plugin immediately across all WordPress instances; inventory all sites running Everest Forms 3.4.8 or earlier; search logs for suspicious referrer patterns containing script tags. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy