2 matches found
EUVD-2026-42511
The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or...
CVE-2026-12270
The Everest Forms WordPress plugin (before 3.5.0) exposes several onboarding assistant REST API endpoints without proper access control. The vulnerability arises because the capability check is only enforced when a specific attacker-controlled request header is present, allowing an unauthenticate...