📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
On January 16th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Everest Forms, a WordPress plugin with more than 100,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, and also makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file, which can make site takeover possible.
Props to Arkadiusz Hydzik who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $4,290.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 13, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on March 15, 2024.
We provided full disclosure details to the ThemeGrill team on February 9, 2025. The developer released the fully patched version on February 20, 2025. We would like to commend the ThemeGrill team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Everest Forms, version 3.0.9.5 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Everest Forms
Plugin Slug: everest-forms
Affected Versions:
CVE ID: CVE-2025-1128
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Arkadiusz Hydzik
Fully Patched Version: 3.0.9.5
Bounty Award: $4,290.00
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the ‘format’ method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site’s server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Technical Analysis
Everest Forms is a WordPress form builder plugin that allows users to create various types of forms, such as contact forms, online application forms, surveys, and polls, using a simple and user-friendly drag-and-drop builder.
Examining the code reveals that the plugin uses the format() method in the EVF_Form_Fields_Upload class to format and sanitize the field, and to move uploaded files from the temp folder to the media library folder, with the following code snippet:
foreach ( $files as $file ) {
$file = $this->generate_file_info( $file );
// Allow third-party integrations.
if ( has_filter( 'everest_forms_integration_uploads' ) ) {
$file = apply_filters( 'everest_forms_integration_uploads', $file, $this->form_data );
}
if ( $this->is_media_integrated() ) {
$file['path'] = $file['tmp_path'];
$file = $this->generate_file_attachment( $file );
} elseif (
! isset( $file['external'] )
&& file_exists( $file['tmp_path'] )
) {
$this->create_dir( dirname( $file['path'] ) );
@rename( $file['tmp_path'], $file['path'] ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
protected function generate_file_info( $file ) {
$dir = $this->get_form_files_dir();
$file['tmp_path'] = trailingslashit( $this->get_tmp_dir() ) . $file['file'];
$file['type'] = 'application/octet-stream';
if ( is_file( $file['tmp_path'] ) ) {
$filetype = wp_check_filetype( $file['tmp_path'] );
$file['type'] = $filetype['type'];
}
// Data for no media case.
$file_ext = pathinfo( $file['name'], PATHINFO_EXTENSION );
$file_base = wp_basename( $file['name'], ".$file_ext" );
$file['file_name_new'] = sprintf( '%s-%s.%s', $file_base, wp_hash( $dir['path'] . $this->form_data['id'] . $this->field_id ), strtolower( $file_ext ) );
$file['file_name_new'] = wp_unique_filename( trailingslashit( $dir['path'] ), sanitize_file_name( $file['file_name_new'] ) );
$file['file_url'] = trailingslashit( $dir['url'] ) . $file['file_name_new'];
$file['path'] = trailingslashit( $dir['path'] ) . $file['file_name_new'];
$file['attachment_id'] = 0;
return $file;
}
Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that any .csv or .txt file containing a malicious PHP script can be renamed to a .php file. The file is then moved to the WordPress uploads folder, which is publicly accessible. This makes it possible for unauthenticated attackers to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.
As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.
In addition, the rename() function moves the source file, effectively deleting it from its original location. Unfortunately, the file parameter is not properly sanitized. This makes it possible for the attacker to read and delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting wp-config.php forces the site into a setup state, allowing an attacker to take control by redirecting it to a database under their control. This ultimately provides access to the site’s server where further infection can take place.
Disclosure Timeline
January 16, 2025 – We received the submission for the Unauthenticated Arbitrary File Upload, Read, and Deletion vulnerability in Everest Forms via the Wordfence Bug Bounty Program.
February 7, 2025 – We validated the report and confirmed the proof-of-concept exploit.
February 9, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
February 13, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
February 20, 2025 – The fully patched version of the plugin, 3.0.9.5, was released.
March 15, 2025 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed an Arbitrary File Upload, Read, and Deletion vulnerability within the Everest Forms plugin affecting versions 3.0.9.4 and earlier. This vulnerability allows unauthenticated threat actors to execute malicious code on the server, read arbitrary files, and delete arbitrary files, including the wp-config.php file, which can make site takeover. The vulnerability has been addressed in version 3.0.9.5 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Everest Forms as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 13, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on March 15, 2024.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin appeared first on Wordfence.
