VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 15 known issues Latest disclosed Apr 20, 2026

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Vulnerabilities

Review known vulnerability records for the WordPress plugin Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (`everest-forms`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-5478, CVE-2026-3296 and CVE-2025-52709, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
15
High or Critical
7
Patch Coverage
100%
Last Updated
Apr 20, 2026
Priority CVE Quick Links

Fast paths into Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
15
CVE-2026-3296 Critical 3.4.4
CVE-2026-3296 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Vulnerability

Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

CVE-2025-3439 Critical 3.1.2
CVE-2025-3439 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Vulnerability

Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection

CVE-2025-1128 Critical 3.0.9.5
CVE-2025-1128 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Remote Code Execution

Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion

CVE-2019-13575 Critical 1.5.0
CVE-2019-13575 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder SQL Injection

Contact Form, Drag and Drop Form Builder for WordPress – Everest Forms <= 1.4.9 - SQL Injection

CVE-2026-5478 High 3.4.5
CVE-2026-5478 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Vulnerability

Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter

CVE-2025-52709 High 3.2.3
CVE-2025-52709 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Vulnerability

Everest Forms <= 3.2.2 - Unauthenticated PHP Object Injection

CVE-2024-1812 High 2.0.8
CVE-2024-1812 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Server-Side Request Forgery

Everest Forms <= 2.0.7 - Unauthenticated Server-Side Request Forgery via font_url

CVE-2025-3421 Medium 3.1.2
CVE-2025-3421 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder Cross-Site Scripting

Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
15 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 3 high severity findings.
Recent CVEs
CVE-2026-5478, CVE-2026-3296 and CVE-2025-52709
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-5478
CVE-2026-5478: Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload state, and con...

Published
Apr 20, 2026
Patched Release
3.4.5
Affected Versions
Versions up to 3.4.4
Next Step
Update to 3.4.5 or newer if supported.
Open CVE-2026-5478 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2026-3296
CVE-2026-3296: Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on...

Published
Apr 07, 2026
Patched Release
3.4.4
Affected Versions
Versions up to 3.4.3
Next Step
Update to 3.4.4 or newer if supported.
Open CVE-2026-3296 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-52709
CVE-2025-52709: Everest Forms <= 3.2.2 - Unauthenticated PHP Object Injection

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.2.2 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerabl...

Published
Jul 01, 2025
Patched Release
3.2.3
Affected Versions
Versions up to 3.2.2
Next Step
Update to 3.2.3 or newer if supported.
Open CVE-2025-52709 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3421
CVE-2025-3421: Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and...

Published
Apr 10, 2025
Patched Release
3.1.2
Affected Versions
Versions up to 3.1.1
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2025-3421 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3422
CVE-2025-3422: Everest Forms <= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action tha...

Published
Apr 10, 2025
Patched Release
3.1.2
Affected Versions
Versions up to 3.1.1
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2025-3422 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2025-3439
CVE-2025-3439: Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This mak...

Published
Apr 10, 2025
Patched Release
3.1.2
Affected Versions
Versions up to 3.1.1
Next Step
Update to 3.1.2 or newer if supported.
Open CVE-2025-3439 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2025-1128
CVE-2025-1128: Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class...

Published
Feb 17, 2025
Patched Release
3.0.9.5
Affected Versions
Versions up to 3.0.9.4
Next Step
Update to 3.0.9.5 or newer if supported.
Open CVE-2025-1128 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13125
CVE-2024-13125: Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output esca...

Published
Jan 17, 2025
Patched Release
3.0.8.1
Affected Versions
Versions up to 3.0.8
Next Step
Update to 3.0.8.1 or newer if supported.
Open CVE-2024-13125 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10471
CVE-2024-10471: Everest Forms <= 3.0.4.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.4.1 due to insufficient input...

Published
Nov 05, 2024
Patched Release
3.0.4.2
Affected Versions
Versions up to 3.0.4.1
Next Step
Update to 3.0.4.2 or newer if supported.
Open CVE-2024-10471 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8542
CVE-2024-8542: Everest Forms <= 3.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.3 due to insufficient input sa...

Published
Aug 01, 2024
Patched Release
3.0.3.1
Affected Versions
Versions up to 3.0.3
Next Step
Update to 3.0.3.1 or newer if supported.
Open CVE-2024-8542 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-1812
CVE-2024-1812: Everest Forms <= 2.0.7 - Unauthenticated Server-Side Request Forgery via font_url

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web...

Published
Mar 15, 2024
Patched Release
2.0.8
Affected Versions
Versions up to 2.0.7
Next Step
Update to 2.0.8 or newer if supported.
Open CVE-2024-1812 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-51695
CVE-2023-51695: Everest Forms <= 2.0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Everest Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-...

Published
Dec 27, 2023
Patched Release
2.0.5
Affected Versions
Versions up to 2.0.4.1
Next Step
Update to 2.0.5 or newer if supported.
Open CVE-2023-51695 Report Open CVE Reference