{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5478", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-03T08:11:50.519Z", "datePublished": "2026-04-20T19:27:08.159Z", "dateUpdated": "2026-04-20T19:27:08.159Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-20T19:27:08.159Z"}, "affected": [{"vendor": "wpeverest", "product": "Everest Forms \u2013 Contact Form, Payment Form, Quiz, Survey & Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information."}], "title": "Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8641eb53-6a9a-4549-b8ef-e37acbcc7f03?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1306"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1665"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1581"}, {"url": "https://plugins.trac.wordpress.org/changeset/3507814/everest-forms"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "ll"}], "timeline": [{"time": "2026-04-03T08:28:02.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-20T07:13:38.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information."}], "id": "CVE-2026-5478", "lastModified": "2026-04-20T20:16:48.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-20T20:16:48.800", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1306"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1581"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.4/includes/abstracts/class-evf-form-fields-upload.php#L1665"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3507814/everest-forms"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8641eb53-6a9a-4549-b8ef-e37acbcc7f03?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:39:11.527453+00:00", "value": {"mitigation_remediation": ["Update the Everest Forms plugin to version 3.4.5 or later, where the old_files parameter is properly validated.", "If an upgrade cannot be performed immediately, disable the \u201cStore Entry Information\u201d setting in the form configuration and remove any file\u2011upload or image\u2011upload fields from public forms to block the attack surface.", "Alternatively, block the old_files parameter in the form by sanitizing input to allow only safe paths or configure WordPress to deny directory traversal in uploaded fields, though this is a temporary measure until a patch is available."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file read and deletion leading to full site compromise"}, "threat_synthesis": {"affected_systems": "The issue affects the Everest Forms plugin from wpeverest, in all releases up to and including 3.4.4. WordPress sites that install any of those versions and use a form containing a file\u2011upload or image\u2011upload field, with the option to store entry information enabled, are vulnerable.", "description_and_impact": "The vulnerability arises from the Everest Forms WordPress plugin misinterpreting the \u2018old_files\u2019 field submitted by users. By injecting a path\u2011traversal string into that parameter, an unauthenticated attacker can cause the plugin to convert the payload into a local filesystem path and attach the file to outgoing emails or delete it during cleanup. The flaw is a classic directory traversal (CWE\u201122) that permits reading critical files such as wp\u2011config.php and deleting any file the web server can reach, which can undo authentication keys, override core files, or disable the site. This can result in complete compromise of the WordPress installation, data loss, or denial of service.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity. No EPSS metric is available, but the lack of an EPSS rating suggests the exploitation likelihood is not quantified. The vulnerability is not listed in the CISA KEV catalog, and no publicly available proof\u2011of\u2011concept code is cited. The attack vector is inferred to be unauthenticated remote: any entity can submit a crafted form submission to trigger the file read or delete action. Because the flaw occurs before the form data is processed for permanent storage, an attacker can replay the request multiple times or target different files until a vulnerability is exposed. The overall risk is significant, especially for sites that rely on Everest Forms for file uploads."}}}}, "created": "2026-04-20T20:45:16.920496+00:00", "updated": "2026-04-20T20:45:16.920521+00:00", "vendors": []}