CVE-2026-4888
Deferred Deferred - Pending Action
Unauthorized Email Sending in Everest Forms WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-4888
EUVD
EUVD-2026-32678
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
everest_forms everest_forms to 3.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows attackers with low-level authenticated access to send emails from your server to any email address. This could be exploited to send spam or phishing emails, potentially damaging your server's reputation and leading to blacklisting of your email domain.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to send test emails to arbitrary addresses from the server due to a missing capability check.

While the CVE description does not explicitly mention compliance impacts, unauthorized email sending could potentially lead to misuse of personal data or spam, which may have implications for standards like GDPR or HIPAA that regulate data privacy and security.

However, there is no direct information provided about specific compliance violations or regulatory impacts caused by this vulnerability.

Executive Summary

The vulnerability exists in the Everest Forms WordPress plugin, specifically in the send_test_email() function. Due to a missing capability check, authenticated users with Subscriber-level access or higher can send test emails to arbitrary email addresses from the server without proper authorization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4888. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart