CVE-2025-1128 CRITICAL

CVE-2025-1128: Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion

Vendor Wpeverest
Product Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Weakness CWE-434 · Unrestricted file upload
Published February 25, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

Key dates

02Disclosure timeline

February 25, 2025 CVE published
April 8, 2026 Record updated