CVE-2025-1128 – This vulnerability in the Everest Forms WordPre... (How to Fix)

📋 TL;DR

This vulnerability in the Everest Forms WordPress plugin allows unauthenticated attackers to upload, read, and delete arbitrary files on affected servers. It affects all versions up to 3.0.9.4 due to missing file type and path validation. This can lead to remote code execution, sensitive data exposure, or complete site compromise.

💻 Affected Systems

Products:

Everest Forms WordPress Plugin

Versions: All versions up to and including 3.0.9.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration

📦 What is this software?

Everest Forms by Wpeverest

View all CVEs affecting Everest Forms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via remote code execution, leading to data theft, malware deployment, or use as attack platform

🟠

Likely Case

Website defacement, data exfiltration, or backdoor installation for persistent access

🟢

If Mitigated

Limited file system access if proper file permissions and web application firewalls are configured

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes all exposed WordPress sites with vulnerable plugin versions immediately at risk

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but attack surface reduced compared to internet-facing systems

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in public references; unauthenticated nature makes exploitation trivial

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.9.5 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3243663/everest-forms#file7

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Everest Forms and click 'Update Now'
4. Verify version is 3.0.9.5 or higher

🔧 Temporary Workarounds

Disable Everest Forms Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate everest-forms

Web Application Firewall Rule

all

Block requests to Everest Forms upload endpoints

Add WAF rule to block requests containing '/wp-content/plugins/everest-forms/' in URI

🧯 If You Can't Patch

Implement strict file system permissions to limit web server write access
Deploy web application firewall with rules blocking Everest Forms upload functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Everest Forms version number

Check Version:

wp plugin get everest-forms --field=version

Verify Fix Applied:

Verify Everest Forms version is 3.0.9.5 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/plugins/everest-forms/
File deletion/modification in unexpected directories
POST requests to Everest Forms upload endpoints

Network Indicators:

HTTP requests to /wp-content/plugins/everest-forms/includes/abstracts/class-evf-form-fields-upload.php with suspicious parameters

SIEM Query:

source="web_server" AND (uri="/wp-content/plugins/everest-forms/" OR user_agent LIKE "%Everest%Forms%") AND (method="POST" OR status_code>=400)

📊 Metadata

CVE ID: CVE-2025-1128

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 7.36% exploit probability (91.5th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1128, you might also want to check these: