CVE-2026-5478

Name of the Vulnerable Software and Affected Versions Everest Forms versions prior to 3.4.5

Description The plugin trusts attacker-controlled old files data from public form submissions as legitimate server-side upload state. It converts attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This allows unauthenticated attackers to read arbitrary local files, such as 'wp-config.php', by injecting path-traversal payloads into the old files upload field parameter, which are then attached to notification emails. Additionally, the post-email cleanup routine uses the same path resolution to call the unlink() function, resulting in the deletion of the targeted file. This can lead to full site compromise through the disclosure of database credentials and authentication salts, or denial of service via the deletion of critical files. This issue requires the form to contain a file-upload or image-upload field and have the option to disable storing entry information enabled.

Recommendations Update to a version newer than 3.4.4. As a temporary workaround, ensure that forms do not contain file-upload or image-upload fields or enable the storage of entry information.