CVE-2026-11571
Everest Forms · Everest Forms WordPress Plugin
The Everest Forms WordPress plugin fails to securely delete temporary CSV files, allowing unauthenticated attackers to access sensitive form submissions via predictable file paths.
Executive summary
The Everest Forms WordPress plugin is susceptible to an information disclosure vulnerability that enables unauthorized access to sensitive user submission data.
Vulnerability
The flaw stems from the plugin's failure to reliably delete temporary CSV files generated during email-notification processing, leaving them publicly accessible in the WordPress uploads directory. This allows unauthenticated attackers to retrieve other users' form submission records via predictable filenames.
Business impact
With a CVSS score of 7.5, this vulnerability presents a significant risk of data breach. An attacker can harvest potentially sensitive user information submitted through forms, leading to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and potential reputational damage. The ability for unauthenticated users to access this data makes this a critical exposure for any site using the plugin.
Remediation
Immediate Action: Update the Everest Forms WordPress plugin to version 3.5.0 or later immediately.
Proactive Monitoring: Review the site’s uploads directory for the presence of unexpected CSV files and monitor server access logs for unauthorized attempts to access files within the /wp-content/uploads/ path.
Compensating Controls: If immediate patching is not possible, restrict direct access to the uploads directory via web server configuration (e.g., .htaccess or Nginx location blocks) to prevent public listing and direct file retrieval.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability is highly actionable and poses a direct threat to data confidentiality. Administrators must update the plugin immediately to ensure that temporary files are handled securely. Failure to remediate exposes user data to unauthorized discovery by any external actor.