CVE-2026-4888
Received Received - Intake
Unauthorized Email Sending in Everest Forms WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-4888
EUVD
EUVD-2026-32678
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
everest_forms everest_forms to 3.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the Everest Forms WordPress plugin, specifically in the send_test_email() function. Due to a missing capability check, authenticated users with Subscriber-level access or higher can send test emails to arbitrary email addresses from the server without proper authorization.


How can this vulnerability impact me? :

This vulnerability allows attackers with low-level authenticated access to send emails from your server to any email address. This could be exploited to send spam or phishing emails, potentially damaging your server's reputation and leading to blacklisting of your email domain.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart