Vulnerabilities and security researches foreverest-forms everest-forms

Direction: ascending

Jun 06, 2024

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2024-1812

CVE, Research URL: CVE-2024-1812
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 10, 2024
Research Description: The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: max 2.0.8.
Status: vulnerable

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2023-51695

CVE, Research URL: CVE-2023-51695
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Feb 01, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1.
Affected versions: max 2.0.5.
Status: vulnerable

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2021-24907

CVE, Research URL: CVE-2021-24907
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Dec 21, 2021
Research Description: The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 1.8.0.
Status: vulnerable

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2019-13575

CVE, Research URL: CVE-2019-13575
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Jul 18, 2019
Research Description: A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php
Affected versions: max 1.5.0.
Status: vulnerable

Jun 10, 2024

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2023-51377

CVE, Research URL: CVE-2023-51377
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Jun 14, 2024
Research Description: Missing Authorization vulnerability in WPEverest Everest Forms.This issue affects Everest Forms: from n/a through 2.0.3.
Affected versions: max 2.0.3.1.
Status: vulnerable

Oct 24, 2024

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2024-8542

CVE, Research URL: CVE-2024-8542
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: May 16, 2025
Research Description: The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.0.3.1.
Status: vulnerable

Nov 28, 2024

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2024-10471

CVE, Research URL: CVE-2024-10471
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Nov 26, 2024
Research Description: The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.0.4.2.
Status: vulnerable

Feb 16, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2024-13125

CVE, Research URL: CVE-2024-13125
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Feb 13, 2025
Research Description: The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 3.0.8.1.
Status: vulnerable

Mar 01, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-1128

CVE, Research URL: CVE-2025-1128
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Feb 25, 2025
Research Description: The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Affected versions: max 3.0.9.5.
Status: vulnerable

Apr 11, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-3439

CVE, Research URL: CVE-2025-3439
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 11, 2025
Research Description: The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Affected versions: max 3.1.2.
Status: vulnerable

Apr 12, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-3421

CVE, Research URL: CVE-2025-3421
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 11, 2025
Research Description: The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 3.1.2.
Status: vulnerable

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-3422

CVE, Research URL: CVE-2025-3422
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 11, 2025
Research Description: The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Affected versions: max 3.1.2.
Status: vulnerable

May 14, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-26841

CVE, Research URL: CVE-2025-26841
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: May 12, 2025
Research Description: Cross Site Scripting vulnerability in WPEVEREST Everest Forms before 3.0.9 allows an attacker to execute arbitrary code via a file upload.
Affected versions: max 3.0.9.
Status: vulnerable

Jul 02, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2025-52709

CVE, Research URL: CVE-2025-52709
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Jun 27, 2025
Research Description: Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2.
Affected versions: max 3.2.2.
Status: vulnerable

Aug 08, 2025

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # PSC-2025-64582

PSC, Research URL: PSC-2025-64582
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Aug 08, 2025
Research Description: Everest Forms has officially passed the Plugin Security Certification (PSC-2025-64582), issued by CleanTalk, following an exhaustive security audit. This validation affirms that Everest Forms is not only powerful in capability but also hardened against modern web threats, making it a safe solution for any WordPress website—personal, corporate, or eCommerce.
Affected versions: Min 3.4.4, max 3.4.4.
Status: SAFE & CERTIFIED

Feb 27, 2026

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2026-22422

CVE, Research URL: CVE-2026-22422
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Feb 19, 2026
Research Description: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
Affected versions: max 3.4.1.
Status: vulnerable

Apr 13, 2026

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2026-3296

CVE, Research URL: CVE-2026-3296
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 08, 2026
Research Description: The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions.
Affected versions: max 3.4.4.
Status: vulnerable

Apr 22, 2026

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! # CVE-2026-5478

CVE, Research URL: CVE-2026-5478
Home page URL: Security reports for Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Application: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
Date: Apr 21, 2026
Research Description: The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.
Affected versions: max 3.4.5.
Status: vulnerable