CVE-2026-5478 Overview
The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This vulnerability arises because the plugin trusts attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and converts attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement.
This Path Traversal vulnerability (CWE-22) makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached.
Critical Impact
This vulnerability can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical WordPress files. Unauthenticated attackers can exploit this without any user interaction.
Affected Products
- Everest Forms WordPress Plugin versions up to and including 3.4.4
- WordPress installations with vulnerable Everest Forms configurations
- Sites using forms with file-upload or image-upload fields with disabled entry storage
Discovery Timeline
- April 20, 2026 - CVE-2026-5478 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5478
Vulnerability Analysis
This vulnerability represents a critical flaw in how the Everest Forms plugin handles file upload state management. The root issue lies in the trust placed on user-supplied data within the old_files parameter during form submissions. When a form containing file-upload or image-upload fields is configured to disable storing entry information, the plugin processes the old_files data without adequate validation.
The attack exploits a regex-based string replacement mechanism that converts URLs to local filesystem paths. Because the plugin fails to implement canonicalization or enforce directory boundary restrictions, attackers can craft malicious payloads containing path-traversal sequences (such as ../) to escape the intended upload directory and target arbitrary files on the server.
The vulnerability manifests in two distinct but related ways:
File Read: When the plugin processes the malicious old_files path, it attaches the targeted file to notification emails, effectively exfiltrating sensitive content like wp-config.php which contains database credentials and authentication salts.
File Deletion: After the email attachment process completes, the post-email cleanup routine invokes unlink() on the resolved file path, permanently deleting the targeted file from the server.
Root Cause
The root cause is improper input validation in the file upload handling logic within class-evf-form-fields-upload.php. The plugin's regex-based URL-to-path conversion lacks proper canonicalization and fails to enforce directory boundary restrictions. By trusting user-supplied old_files data without validation, the plugin allows path-traversal sequences to resolve to arbitrary filesystem locations outside the intended upload directory.
Attack Vector
The attack is network-accessible and can be executed by unauthenticated users. To exploit this vulnerability, an attacker must:
- Identify a WordPress site running Everest Forms version 3.4.4 or earlier
- Locate a form containing a file-upload or image-upload field
- Ensure the form has entry storage disabled (prerequisite condition)
- Submit the form with a crafted old_files parameter containing path-traversal payloads
- The targeted file content is attached to notification emails (readable by the attacker if they control or can access the notification destination)
- The file is subsequently deleted during the cleanup routine
The vulnerability is exploited through the file upload field handling mechanism. Path-traversal payloads injected into the old_files parameter are processed by the regex-based path resolution in class-evf-form-fields-upload.php. Technical details of the vulnerable code can be found in the WordPress Plugin Code Repository.
Detection Methods for CVE-2026-5478
Indicators of Compromise
- Unusual form submissions containing path-traversal sequences (e.g., ../, ..%2f, ..%252f) in upload-related parameters
- Missing critical WordPress files such as wp-config.php, .htaccess, or core plugin files
- Notification emails with unexpected attachments containing server configuration data
- Web server error logs showing failed file operations or permission denied errors for system files
Detection Strategies
- Monitor web application firewall (WAF) logs for path-traversal patterns in POST requests to form submission endpoints
- Implement file integrity monitoring (FIM) on critical WordPress files including wp-config.php and core installation files
- Analyze email server logs for outbound messages with unusual attachments from WordPress notification processes
- Review PHP error logs for unlink() operations targeting files outside the uploads directory
Monitoring Recommendations
- Deploy SentinelOne Singularity to monitor file access patterns and detect anomalous read/delete operations on WordPress configuration files
- Configure real-time alerting for any modifications or deletions to wp-config.php and other critical WordPress files
- Implement network traffic analysis to detect data exfiltration through email channels containing sensitive configuration data
- Enable verbose logging on WordPress form plugins to capture detailed information about file upload operations
How to Mitigate CVE-2026-5478
Immediate Actions Required
- Update Everest Forms plugin to the latest patched version immediately
- Audit WordPress installations for evidence of exploitation including missing configuration files
- Review recent form submissions for suspicious path-traversal patterns in the old_files parameter
- Rotate database credentials and WordPress authentication salts if wp-config.php exposure is suspected
- Implement WAF rules to block path-traversal sequences in form submission requests
Patch Information
The vulnerability has been addressed in a security patch released by the Everest Forms development team. The fix is documented in the WordPress Changeset 3507814. Users should update to a version newer than 3.4.4 to remediate this vulnerability.
For additional technical details about this vulnerability, refer to the Wordfence Vulnerability Report.
Workarounds
- Disable file-upload and image-upload fields on public-facing forms until the patch can be applied
- Enable "Store Entry Information" option on forms to avoid the vulnerable code path
- Implement server-level file permissions to prevent the web server user from reading or deleting critical configuration files
- Deploy a web application firewall with rules to block requests containing path-traversal sequences
- Consider temporarily disabling the Everest Forms plugin if immediate patching is not possible
# Restrict file permissions on wp-config.php
chmod 400 /var/www/html/wp-config.php
chown root:root /var/www/html/wp-config.php
# Verify Everest Forms plugin version
wp plugin list --name=everest-forms --fields=name,version,status
# Update Everest Forms to the latest version
wp plugin update everest-forms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
