Everest Forms < 3.0.9.5 – Unauthenticated Arbitrary File Upload, Read, and Deletion | CVE 2025-1128 | Plugin Vulnerabilities

Description

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

Affects Plugins

Fixed in 3.0.9.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c04d8c9-acad-4832-aa8a-8372c58a0387

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

26cdd6ec-06c0-4632-b7cc-fcb0406d37d4

Timeline

Publicly Published

2025-02-17 (about 1 year ago)

Added

2025-02-26 (about 1 year ago)

Last Updated

2026-05-12 (about 23 hours ago)

Other

Published

Title

Published

2024-10-25

Title

Ajar in5 Embed < 3.1.4 - Unauthenticated Arbitrary File Upload

Published

2024-10-25

Title

Automatic Translation <= 1.0.4 - Unauthenticated Arbitrary File Upload

Published

2012-06-05

Title

Member Private Conversation < 1.4 - Unrestricted File Upload

Published

2025-04-25

Title

Crossword Compiler Puzzles < 5.3 - Subscriber+ Arbitrary File Upload

Published

2026-04-08

Title

WP-BusinessDirectory – Business directory plugin for WordPress < 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload