Access Control Flaw in Everest Forms WordPress Plugin by WPMU DEV
CVE-2026-12270
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 9 July 2026
Badges
What is CVE-2026-12270?
The Everest Forms WordPress plugin prior to version 3.5.0 contains an access control issue that allows unauthenticated users to exploit vulnerabilities in its onboarding assistant features. This flaw arises from insufficient checks on specific REST API endpoints, enabling attackers to bypass capability restrictions by manipulating request headers. Consequently, malicious actors could read sensitive onboarding status data, alter plugin settings, and trigger unsolicited emails to arbitrary addresses, thus compromising the security and integrity of WordPress sites using this plugin.
Affected Version(s)
Everest Forms 3.4.2 < 3.5.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.