Reflected Cross-Site Scripting Vulnerability in Everest Forms Plugin by WordPress
CVE-2025-3421

6.1MEDIUM

Key Information:

Vendor
WordPress
Status
Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder For WordPress
Vendor
CVE Published:
11 April 2025

Summary

The Everest Forms plugin for WordPress is exposed to a vulnerability due to inadequate sanitization and escaping of the 'form_id' parameter. This flaw allows unauthenticated attackers to execute arbitrary web scripts if users are deceived into clicking malicious links. It is crucial for website administrators to either upgrade to the latest version or implement security measures to mitigate potential exploitation.

Affected Version(s)

Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress * <= 3.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3268742/

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
.
CVE-2025-3421 : Reflected Cross-Site Scripting Vulnerability in Everest Forms Plugin by WordPress | SecurityVulnerability.io