CVE-2026-12270
Received Received - Intake

Unauthenticated REST API Access in Everest Forms WordPress Plugin

Vulnerability report for CVE-2026-12270, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: WPScan

Description

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or changing that header. This makes it possible for unauthenticated attackers to read onboarding status information, modify the related Everest Forms WordPress plugin before 3.5.0 options, and trigger an email from the site to an arbitrary address.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
everest_forms everest_forms to 3.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-12270 is a vulnerability in the Everest Forms WordPress plugin versions before 3.5.0. It occurs because the plugin does not properly restrict access to several REST API endpoints related to its onboarding assistant.

The plugin applies a capability check only when a specific request header has a certain value. However, this check can be bypassed by omitting or changing that header, allowing unauthenticated attackers to access these endpoints.

As a result, attackers can read onboarding status information, modify plugin options, and trigger emails from the site to arbitrary email addresses without needing to authenticate.

Impact Analysis

This vulnerability can have several impacts on a site using the affected Everest Forms plugin versions:

  • Unauthenticated attackers can read sensitive onboarding status information.
  • Attackers can modify plugin options, potentially changing site behavior or configurations.
  • Attackers can trigger emails from the site to arbitrary email addresses, which could be used for spam or phishing.
Detection Guidance

This vulnerability can be detected by attempting to access the Everest Forms plugin's onboarding assistant REST API endpoints without authentication and by omitting or altering the specific request header that is supposed to restrict access.

A practical approach is to send HTTP requests to the plugin's REST endpoints related to the onboarding assistant and observe if you can read onboarding status information or trigger actions such as sending emails without proper authentication.

  • Use curl or similar tools to send requests without the specific header or with altered header values to endpoints like /wp-json/everest-forms/v1/onboarding or similar paths.
  • Example curl command to test unauthorized access: curl -X GET https://yourwordpresssite.com/wp-json/everest-forms/v1/onboarding
  • Example curl command to test modifying options or triggering emails: curl -X POST https://yourwordpresssite.com/wp-json/everest-forms/v1/onboarding -d '{"action":"send_test_email","email":"[email protected]"}' -H "Content-Type: application/json"
Mitigation Strategies

The immediate and most effective mitigation step is to update the Everest Forms WordPress plugin to version 3.5.0 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to the REST API endpoints related to the Everest Forms onboarding assistant by implementing additional access controls at the web server or application firewall level.

  • Apply IP whitelisting or authentication requirements to the REST API endpoints used by Everest Forms.
  • Monitor logs for suspicious requests to the Everest Forms REST API endpoints that omit or alter the specific header.
Compliance Impact

The vulnerability allows unauthenticated attackers to access and modify sensitive plugin options and trigger emails to arbitrary addresses by bypassing access controls. This unauthorized access and potential data manipulation could lead to violations of data protection principles required by standards such as GDPR and HIPAA, which mandate strict access controls and protection of personal data.

Specifically, the ability to read onboarding status information and send emails without authentication may expose personal or sensitive information, increasing the risk of data breaches and non-compliance with regulations that require safeguarding user data and ensuring only authorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart