CVE-2026-11571
Received Received - Intake

Temporary CSV File Exposure in Everest Forms

Vulnerability report for CVE-2026-11571, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: WPScan

Description

The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
everest_forms everest_forms to 3.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Everest Forms WordPress plugin versions prior to 3.5.0 have a vulnerability where temporary CSV files generated during email-notification processing are not reliably deleted.

These CSV files remain publicly accessible in the uploads directory, allowing unauthenticated attackers to access other users' form submission records.

Attackers can retrieve these files by exploiting predictable and enumerable filenames, especially since form entry identifiers are sequential and returned in submission responses.

Exploitation requires the Everest Forms Pro add-on to be active, with the CSV email-attachment feature enabled on a notification that is not processed last and with more than one email notification configured.

Impact Analysis

This vulnerability can lead to sensitive information disclosure, as attackers can access other users' form submission data without authentication.

Such exposure of personal or sensitive data can compromise user privacy and trust, potentially leading to data breaches.

The vulnerability is classified as medium severity with a CVSS score of 5.9 and falls under the OWASP Top 10 category A3 (Sensitive Data Exposure).

Detection Guidance

This vulnerability can be detected by checking the uploads directory of the Everest Forms WordPress plugin for the presence of temporary CSV files that are publicly accessible. Since the filenames are predictable and enumerable due to sequential form entry identifiers, you can look for CSV files that correspond to form submissions.

A practical approach is to enumerate the uploads directory for CSV files related to form submissions, especially if the Everest Forms Pro add-on is active and multiple email notifications with CSV attachments are configured.

Suggested commands to detect these files on a server might include:

  • Using command line to list CSV files in the uploads directory, e.g., `find /path/to/wp-content/uploads/ -name '*.csv'`
  • Using curl or wget to attempt to access predictable CSV filenames via HTTP, for example: `curl http://example.com/wp-content/uploads/form-submission-1.csv` and incrementing the number to enumerate files.
Mitigation Strategies

The immediate mitigation step is to update the Everest Forms plugin to version 3.5.0 or later, where this vulnerability has been fixed.

If updating immediately is not possible, restrict public access to the uploads directory where temporary CSV files are stored, for example by using web server configuration rules (like .htaccess for Apache) to deny access to CSV files or the uploads directory.

Additionally, review and limit the use of multiple email notifications with CSV attachments in the Everest Forms Pro add-on, as the vulnerability requires this configuration to be exploitable.

Compliance Impact

This vulnerability leads to sensitive data exposure by leaving temporary CSV files containing users' form submission records publicly accessible. Such unauthorized disclosure of personal or sensitive information can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal data.

Specifically, the failure to delete these temporary files and their predictable, enumerable filenames increase the risk of data breaches, potentially violating requirements for data minimization, access control, and data security under these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart