Volerion logoVolerion
Volerion logoVolerion

Everest Forms WordPress Plugin Arbitrary File Read and Deletion Vulnerability

Vulnerability

A vulnerability exists in the Everest Forms plugin for WordPress, affecting all versions through 3.4.4. The issue allows for arbitrary file reading and deletion. This vulnerability arises because the plugin improperly validates 'old_files' data from public form submissions, treating it as a legitimate server-side upload state. It uses regex-based string replacement to convert attacker-supplied URLs into local filesystem paths without proper canonicalization or directory boundary enforcement. As a result, unauthenticated attackers can inject path-traversal payloads into the 'old_files' upload field parameter to read arbitrary local files, such as 'wp-config.php'. The exploited payloads are attached to notification emails. Additionally, the same path resolution is applied in a post-email cleanup routine, which deletes the targeted files, potentially leading to a full site compromise by disclosing sensitive database credentials and authentication salts from 'wp-config.php', while also causing a denial-of-service by removing critical files.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, such as 'wp-config.php', leading to a disclosure of database credentials and authentication salts. The vulnerability also allows for the deletion of important files, causing a denial-of-service on the affected site.

Reproduction

To reproduce this vulnerability, upload a form using the Everest Forms plugin that includes a file-upload or image-upload field. Ensure that the option to store entry information is disabled. Once the form is submitted, inject a path-traversal payload into the 'old_files' upload field parameter. This payload will be processed by the plugin, allowing access to arbitrary local files. After the file is read, the same payload can be used to delete a file by exploiting the post-email cleanup routine.

Remediation

Users are advised to update the Everest Forms plugin to version 3.4.5 or later, where this vulnerability has been patched.

Added: Apr 20, 2026, 8:29 PM
Updated: Apr 20, 2026, 8:29 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.7
exploitability
9.3
remediation
7.7
relevance
6.3
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.