Critical vulnerability reported in Everest Forms WordPress Plugin
Take action: If you are using Everest Forms WordPress plugin in your website, this an urgent advisory. Update your Everest Forms to the latest version IMMEDIATELY. You can't hide this flaw, it's part of a website that's most probably visible on the internet.
Learn More
A critical security vulnerability has been discovered in the Everest Forms WordPress plugin, putting over 100,000 websites at significant risk.
The vulnerability is tracked as CVE-2025-1128 (CVSS score 9.8) and allows unauthenticated attackers to upload arbitrary files, execute remote code, and delete critical system files on affected WordPress sites. The vulnerability stems from missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class. This security oversight allows attackers to:
- Upload malicious PHP code disguised as innocent file types like .csv or .txt, then rename these files to .php extensions and move them to publicly accessible WordPress upload directories
- Execute arbitrary code on the server
- Read and delete arbitrary files, including critical wp-config.php files
The vulnerability affects all Everest Forms versions up to and including 3.0.9.4.
WordPress site owners using the Everest Forms plugin are strongly urged to update to version 3.0.9.5 immediately.
