CVE-2026-5478
Path Traversal in Everest Forms Plugin Allows File Read/Delete
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| everest_forms | everest_forms | to 3.4.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Everest Forms plugin allows unauthenticated attackers to read and delete arbitrary local files, including sensitive files such as wp-config.php which contains database credentials and authentication salts.
This exposure of sensitive data and potential site compromise can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.
Specifically, unauthorized disclosure of database credentials and deletion of critical files can result in data breaches and service disruptions, both of which negatively impact compliance with these standards.
Can you explain this vulnerability to me?
The Everest Forms plugin for WordPress has a vulnerability in all versions up to and including 3.4.4 that allows unauthenticated attackers to read and delete arbitrary files on the server.
This happens because the plugin trusts attacker-controlled data from form submissions (specifically the old_files parameter) and converts attacker-supplied URLs into local filesystem paths without properly validating or restricting the paths.
Attackers can inject path-traversal payloads to access sensitive files like wp-config.php, which contains database credentials and authentication salts.
Additionally, the plugin deletes files based on the same path resolution, allowing attackers to delete critical files, potentially causing denial of service.
This requires the targeted form to have a file-upload or image-upload field and to have entry information storage disabled.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Disclosure of sensitive information such as database credentials and authentication salts by reading files like wp-config.php.
- Full site compromise due to attackers gaining access to critical configuration data.
- Denial of service caused by deletion of critical files on the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Everest Forms plugin version is up to and including 3.4.4 and if the affected form contains a file-upload or image-upload field with disabled entry information storage.
Since the vulnerability exploits the old_files upload field parameter with path-traversal payloads, monitoring HTTP requests to the WordPress site for suspicious parameters containing path traversal patterns (e.g., ../) in form submissions can help detect exploitation attempts.
Commands to detect suspicious activity might include inspecting web server logs for unusual requests or using tools like grep to find path traversal patterns in logs. For example:
- grep -r "old_files" /var/log/apache2/access.log | grep "\.\./"
- grep -r "old_files" /var/log/nginx/access.log | grep "\.\./"
Additionally, scanning the plugin version installed on the WordPress site can be done via WP-CLI or by checking the plugin files directly.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Everest Forms plugin to a version later than 3.4.4 where this vulnerability is fixed.
If updating is not immediately possible, temporarily disabling or removing the vulnerable file-upload or image-upload fields in the affected forms can reduce risk.
Additionally, enabling entry information storage or applying strict input validation and sanitization on the old_files parameter can help prevent exploitation.
Monitoring and restricting access to critical files like wp-config.php and implementing file system permissions to prevent unauthorized deletion can also mitigate impact.