Arbitrary File Read and Deletion Vulnerability in Everest Forms Plugin for WordPress
CVE-2026-5478

8.1HIGH

Key Information:

Vendor: WordPress
Status: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-5478?

The Everest Forms plugin for WordPress is susceptible to vulnerabilities that allow for arbitrary file reading and deletion. This occurs in versions up to and including 3.4.4, where the plugin improperly handles attacker-controlled data from public form submissions. Because it treats the supplied URLs as legitimate file paths without proper validation or canonicalization, attackers can manipulate the old_files upload parameter to execute path-traversal attacks. As a result, this could enable unauthorized access to sensitive local files, such as wp-config.php, and could lead to critical data exposure, including database credentials and authentication salts. Additionally, the vulnerability allows for deletion of the targeted files through routine cleanup processes, posing a significant risk to website integrity. This poses a severe risk if the form is equipped with a file-upload field and lacks entry information storage.

Affected Version(s)

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder 0 <= 3.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/everest-forms/...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

CVE-2026-5478 Data

JSON