We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Everest Forms Plugin Vulnerability (CVE-2026-5478)

Nick Paliughi
On this page

Security Alert Summary

The Everest Forms plugin for WordPress contains a vulnerability that allows unauthenticated attackers to read and delete arbitrary local files on the server. The issue stems from the plugin trusting attacker-controlled old_files data from public form submissions and converting supplied URLs into local filesystem paths without proper canonicalization or directory boundary enforcement. This can expose sensitive files such as wp-config.php and also cause deletion of targeted files during the plugin’s cleanup routine.

CVE Details

  • CVE ID: CVE-2026-5478
  • Affected component: Everest Forms plugin for WordPress
  • Affected versions: All versions up to, and including, 3.4.4
  • Published: April 20, 2026, 8:16:48 PM
  • Last modified: April 20, 2026, 8:16:48 PM
  • CVSS v3.1 base score: 8.1 — HIGH

    Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction:
    • Privileges Required: None
    • User Interaction: None
    • Attack Vector: Network
    • Attack Complexity: High
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness (CWE): CWE-22 (Path Traversal)

Technical Details

This vulnerability exists because the plugin trusts attacker-controlled old_files data submitted via public form entries when the form includes a file-upload or image-upload field and storing entry information is disabled. The plugin converts attacker-supplied URLs into local filesystem paths using regex-based string replacement without performing canonicalization or enforcing directory boundaries. As a result, an attacker can include path-traversal payloads in the old_files field that resolve to arbitrary local file paths.

When the plugin prepares notification emails, these resolved paths are attached, which enables an attacker to exfiltrate local files such as wp-config.php. The same path resolution logic is used in the post-email cleanup routine, which calls unlink() on the resolved path. That behavior allows deletion of targeted files after they are attached, leading to potential denial of service or damage to site integrity.

Prerequisite: the targeted form must include a file-upload or image-upload field and must have entry storage disabled, per the provided description.

How This Could Impact Your Website

Consider a site with multiple contributors: a site owner maintains the WordPress install, internal staff manage content, and external contractors submit forms. If a public form on the site includes a file-upload field and entry storage is disabled, an attacker can submit crafted form data containing path-traversal payloads in the old_files parameter. Those payloads can cause the site to attach sensitive local files to notification emails, exposing database credentials and authentication salts from wp-config.php. Disclosure of those secrets increases the risk of database access, credential reuse attacks, and targeted social engineering or phishing against staff and contractors.

Separately, the same mechanism can delete targeted files via the plugin’s cleanup routine, potentially breaking site functionality or causing downtime if critical files are removed.

If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins, and audit forms that accept file uploads.
  • Monitor site activity, error logs, and outgoing emails for unusual behavior or unexpected attachments.

If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Website LLMs.txt Plugin Vulnerability (CVE-2026-6711)
Next Post
CMS fuer Motorrad Werkstaetten Plugin Vulnerability (CVE-2026-6674)