Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Published: 25/02/2025 Updated: 25/02/2025

Unauthenticated Arbitrary File Upload, Read, and Delete in Everest Forms WordPress Plugin

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated malicious users to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

CWE-434 https://nvd.nist.gov https://www.first.org/epss https://github.com/wpeverest/everest-forms/commit/7d37858d2c614aa107b0f495fe50819a3867e7f5 https://github.com/wpeverest/everest-forms/pull/1406/files https://plugins.trac.wordpress.org/changeset/3237831/everest-forms/trunk/includes/abstracts/class-evf-form-fields-upload.php#file0 https://plugins.trac.wordpress.org/changeset/3243663/everest-forms#file7 https://www.wordfence.com/threat-intel/vulnerabilities/id/8c04d8c9-acad-4832-aa8a-8372c58a0387?source=cve

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2025-1128

Vulnerability Summary

Vulnerability Trend

References

Vulmon Search

About

Products

Connect