Severe RCE Flaw Discovered in Everest Forms WordPress Plugin
The Everest Forms: Contact Forms, Quiz, Survey, Newsletter and Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the “format” method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site’s server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Technical Description
A critical security vulnerability, identified as CVE-2025-1128, has been discovered in the popular WordPress plugin, Everest Forms, putting over 100,000 websites at risk of complete takeover. This flaw, which carries a severe CVSS score of 9.8, allows unauthorized attackers to upload arbitrary files, execute remote code, and delete crucial configuration files potentially leading to full site compromise.
The vulnerability was uncovered and responsibly disclosed by security researcher Arkadiusz Hydzik through Wordfence’s Bug Bounty Program, earning him a reward of $4,290. In response, Wordfence has issued an urgent advisory, urging users to update to the patched version, 3.0.9.5, without delay.
The root cause of this vulnerability lies in the format() method of the (EVF_Form_Fields_Upload) class. According to Wordfence, “The Everest Forms Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the ‘format’ method of the (EVF_Form_Fields_Upload). This lack of validation enables attackers to upload harmful PHP scripts disguised as harmless files, such as .csv or .txt.
The consequences of this vulnerability are severe. Since uploaded files are stored in a publicly accessible directory, attackers can execute arbitrary code on the server, leading to a full site takeover. Wordfence warns, “This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.” Furthermore, the improper sanitization of the rename() function introduces an additional security risk.
Given the widespread use of Everest Forms, this vulnerability poses a significant threat to over 100,000 active installations. Wordfence emphasizes the danger, stating that “as with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.” WordPress site owners using Everest Forms are strongly advised to update to the latest version immediately to mitigate the risk.
Impact
An attacker could potentially
• Upload malicious files to the server
• Read sensitive files and disclose confidential information
• Delete critical files
• Potentially execute remote code
• Completely compromise the WordPress site’s security
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access, Execution, Persistence, Privilege Escalation, Impact |
| Technique Name | Exploit Public-Facing Application |
| Sub Technique Name | Arbitrary File Upload Exploit |
| Attack Type | Remote Code Execution (RCE), Arbitrary File Upload, Privilege Escalation |
| Targeted Applications | WordPress (Everest Forums Plugin) |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-1128 |
Recommended Actions
Immediate Patch Deployment
• Update the Everest Forms plugin to the latest patched version (3.0.9.5 or higher) immediately.
• Ensure all other WordPress plugins, themes, and core files are updated to their latest versions.
• Configure WordPress to restrict file types allowed for upload.
• Implement MIME type verification to prevent disguised malicious files (e.g., PHP scripts masquerading as .txt or .csv).
• Regularly check WordPress logs (wp-content/debug.log, server logs) for unusual activity.
• Scan for unexpected PHP files in the /wp-content/uploads/ directory.
• Review recently modified files and unknown administrator accounts.
• Use security plugins like “Wordfence” or “Sucuri” to detect and block suspicious behavior.