Everest Forms WordPress Plugin Arbitrary File Upload Vulnerability

A vulnerability in the Everest Forms WordPress plugin, specifically in versions through 3.0.9.4, allows for arbitrary file upload, reading, and deletion. This issue arises from inadequate validation of file types and paths in the 'format' method of the EVF_Form_Fields_Upload class. As a result, unauthenticated attackers can upload, access, and delete arbitrary files on the server, potentially leading to remote code execution, unauthorized disclosure of sensitive information, or a complete takeover of the affected site.

Impact

Exploitation of this vulnerability could result in arbitrary file upload, allowing attackers to upload malicious files that could be executed on the server. The vulnerability also permits unauthorized reading and deletion of files, which could be used to access or destroy critical data on the server. Additionally, the vulnerability could be exploited to execute arbitrary code remotely, depending on the nature of the uploaded files.

Reproduction

The vulnerability can be reproduced by uploading a file through a form created with the Everest Forms plugin, version 3.0.9.4 or earlier. The 'format' method in the 'EVF_Form_Fields_Upload' class does not properly validate the file type or path, allowing for the upload of potentially harmful files. After uploading, the same method can be exploited to read and delete files on the server.

Remediation

Users are advised to update the Everest Forms WordPress plugin to version 3.0.9.5 or later.