Critical WordPress Security Flaw in Everest Forms Plugin
The UAE Cyber Security Council has observed a critical vulnerability in the Everest Forms WordPress
plugin that could allow attackers to upload arbitrary files, execute remote code, and delete critical
site files, potentially leading to complete website takeover.
| OEM | WordPress |
| Severity | Critical |
| CVSS score | 9.8 |
| CVEs | CVE-2025-1128 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Vulnerability, CVE-2025-1128, has been discovered in the Everest Forms WordPress plugin, affecting over 100,000 websites and rated with a CVSS score of 9.8. The lack of proper file type and path validation within the format() method of the EVF_Form_Fields_Upload class, allowing attackers to upload
malicious files. This include PHP scripts disguised as seemingly harmless files, to the publicly
accessible WordPress uploads directory
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Arbitrary File Upload vulnerability | CVE-2025-1128 | Everest Forms Plugin | Critical | v3.0.9.5 |
Technical Summary
The vulnerability resides in the format() method of the EVF_Form_Fields_Upload class in Everest Forms. Due to missing file type and path validation, attackers can upload arbitrary files, including malicious PHP scripts disguised as other file types.
This enables unauthenticated remote code execution, file deletion, and reading of sensitive files such as wp-config.php, which can lead to full site compromise.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-1128 | Everest Forms Plugin <= 3.0.9.4 | Missing file type and path validation in format() method allows arbitrary file uploads, execution, and deletion | Remote Code Execution, Full Site Takeover |
Remediation:
- Apply Patch: Users should update to Everest Forms version 3.0.9.5 or later version as soon as possible.
General Recommendations
- Monitor for Suspicious Activity: Review server logs for unusual file uploads or access attempts.
- Implement a Web Application Firewall (WAF): Deploying a WAF can help mitigate exploitation risks.
- Review File Permissions: Ensure proper file permissions are set to prevent unauthorized access.
Conclusion:
The CVE-2025-1128 vulnerability in Everest Forms presents a severe security risk, as it allows unauthenticated attackers to upload arbitrary files and execute remote code.
The vulnerability has been addressed in version 3.0.9.5, and all affected users are urged to update immediately. Organizations should also implement security monitoring and preventive measures to safeguard their WordPress sites against similar threats in the future.
- Successful exploitation of this vulnerability could allow Attackers to:
o Upload malicious PHP code to the WordPress uploads folder
o Execute arbitrary code on the server
o Read and delete any arbitrary file on the server, including wp-config.php
o Potentially redirect the site to a database under attacker control
Affected Versions: - Everest Forms <= 3.0.9.4
Fixed Versions: - Everest Forms 3.0.9.5 or later
References:
- https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-arbitrary-file-upload-read-and-deletion-vulnerability-in-everest-forms-wordpress-plugin/