CVE-2025-5927

Name of the Vulnerable Software and Affected Versions: The Everest Forms (Pro) plugin for WordPress versions up to, and including, 1.9.4

Description: The issue is related to insufficient file path validation in the delete entry files() function, allowing unauthenticated attackers to delete arbitrary files on the server. This can lead to remote code execution if critical files, such as wp-config.php, are deleted. The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.

Recommendations: For versions up to, and including, 1.9.4, update to a version that includes a fix for the insufficient file path validation in the delete entry files() function. As a temporary workaround, consider restricting access to the delete entry files() function until a patch is available.