A severe security vulnerability, tracked as CVE-2025-1128, has been uncovered in the popular WordPress plugin, Everest Forms, placing over 100,000 websites at immediate risk of complete compromise. The flaw, rated with a critical CVSS score of 9.8, allows unauthenticated attackers to upload arbitrary files, execute remote code, and even delete crucial configuration files, potentially leading to total site takeover.
The vulnerability was discovered and responsibly reported by security researcher Arkadiusz Hydzik through Wordfence’s Bug Bounty Program, earning him a $4,290.00 reward. Wordfence has issued an urgent advisory, urging users to update to the patched version, 3.0.9.5, immediately.
The core of the vulnerability lies within the format() method of the EVF_Form_Fields_Upload class. According to the Wordfence report, “The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the ‘format’ method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4.”
This lack of validation allows attackers to upload any file, including malicious PHP scripts disguised as seemingly harmless files like .csv or .txt. “Examining the code reveals that the plugin uses the format() method in the EVF_Form_Fields_Upload class to format and sanitize the field, and to move uploaded files from the temp folder to the media library folder,” the report explains. “Unfortunately, the function does not include any file type or extension checks in the vulnerable version.”
The consequences of this vulnerability are dire. Attackers can upload malicious PHP code to the WordPress uploads folder, which is publicly accessible, enabling them to execute arbitrary code on the server. “This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server,” Wordfence warns.
Furthermore, the rename() function’s improper sanitization opens another critical attack vector. “Unfortunately, the file parameter is not properly sanitized. This makes it possible for the attacker to read and delete any arbitrary file on the server, including the site’s wp-config.php file.” The wp-config.php file is the heart of a WordPress installation, containing database credentials and other vital settings. Deleting it forces the site into a setup state, allowing attackers to redirect it to a database under their control, effectively seizing complete control.
With over 100,000 active installations, the potential impact of the CVE-2025-1128 vulnerability is substantial. The Wordfence report emphasizes the severity: “As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.”
WordPress site owners using the Everest Forms plugin are strongly advised to take the following steps:
- Update Immediately: Update to Everest Forms version 3.0.9.5 as soon as possible.
- Monitor for Suspicious Activity: Check server logs for any unusual file uploads or access attempts.
- Implement Web Application Firewall (WAF): A WAF can help mitigate the risk of exploitation.
- Review File Permissions: Ensure proper file permissions are in place to prevent unauthorized access.
Related Posts:
- Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
- Captcha Plugin include backdoor that affects 300K WordPress sites
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
