Everest Forms Security Vulnerabilities and Issues — Everest Forms CVE List

Lucene search

WpeverestEverest Forms

9 matches found

CVE•added 2025/02/25 7:15 a.m.•140 views

CVE-2025-1128

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up...

9.8CVSS7.1AI score0.0124EPSS

CVE•added 2025/04/11 1:15 p.m.•105 views

CVE-2025-3439

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for ...

9.8CVSS9.7AI score0.00732EPSS

CVE•added 2025/02/13 6:15 a.m.•51 views

CVE-2024-13125

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

3.5CVSS5.7AI score0.00038EPSS

CVE•added 2025/04/11 1:15 p.m.•51 views

CVE-2025-3422

The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly...

6.3CVSS5.7AI score0.00064EPSS

CVE•added 2025/04/11 1:15 p.m.•49 views

CVE-2025-3421

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. Th...

6.1CVSS6AI score0.00134EPSS

CVE•added 2025/05/12 3:15 p.m.•34 views

CVE-2025-26841

Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.

6.1CVSS7.4AI score0.00049EPSS

CVE•added 2025/05/15 8:15 p.m.•14 views

CVE-2024-8542

The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8CVSS5.7AI score0.00039EPSS

CVE•added 2025/06/25 10:15 a.m.•9 views

CVE-2025-5927

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the serv...

7.5CVSS8.1AI score0.00471EPSS

CVE•added 2025/06/27 12:15 p.m.•8 views

CVE-2025-52709

Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2.

9.8CVSS6.5AI score0.00054EPSS