CVE-2026-5478 HIGH

CVE-2026-5478: Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter

Vendor Wpeverest
Product Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Weakness CWE-22 · Path traversal
Published April 20, 2026
Last update April 21, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.

Explanation of Vulnerability in Simple Terms

02Summary

Everest Forms versions up to 3.4.4 contain a path traversal vulnerability that allows an attacker to read, write, or delete files on the server outside the intended directory. The vulnerability requires high attack complexity but no authentication or user interaction. An attacker can access sensitive files, modify site content, or disrupt availability.

What an attacker can do

03Attacker Capabilities

Read, write, or delete files on the server outside the intended directory.

Potential impact on your site

04Site Impact

Attackers could steal configuration files, modify site files, or delete critical data without needing a user account.

Conditions required to exploit

05Prerequisites

Network access; no authentication required, but exploitation requires specific conditions (high attack complexity).

Key dates

06Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated