WordPress Plugin Vulnerabilities

Everest Forms < 3.5.0 - Unauthenticated Sensitive Information Exposure via Residual CSV Artifacts

Description

The plugin does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.

Exploitation requires the Everest Forms Pro add-on to be active (the CSV email-attachment option is provided by Pro) and a form with more than one email notification where the CSV attachment is enabled on a notification that is not processed last. Form entry identifiers are sequential and are returned to the submitter in the submission response, which makes the retained artifacts straightforward to enumerate.

Proof of Concept

Affects Plugins

Fixed in 3.5.0

References

Classification

Type
SENSITIVE DATA DISCLOSURE
CWE

Miscellaneous

Original Researcher
Duy Tran
Submitter
Duy Tran
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-06-18 (about 21 days ago)
Added
2026-06-18 (about 20 days ago)
Last Updated
2026-06-19 (about 19 days ago)

Other