VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 4 known issues Latest disclosed Mar 30, 2026

Everest Forms Pro Vulnerabilities

Review known vulnerability records for the WordPress plugin Everest Forms Pro (`everest-forms-pro`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
4
High or Critical
3
Linked CVEs
4
Last Updated
Mar 30, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Everest Forms Pro so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
4 records include a published patch path.
Severity Mix
1 critical and 2 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Everest Forms Pro

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2026-3300
Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code s...

Published
Mar 30, 2026
Patched Release
1.9.13
Affected Versions
Versions up to 1.9.12
Next Step
Update to 1.9.13 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: No CVE-2026-27070
Everest Forms Pro <= 1.9.10 - Unauthenticated Stored Cross-Site Scripting

The Everest Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pag...

Published
Mar 12, 2026
Patched Release
Not published
Affected Versions
Versions up to 1.9.10
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8871
Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object....

Published
Nov 04, 2025
Patched Release
1.9.8
Affected Versions
Versions up to 1.9.7
Next Step
Update to 1.9.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-5927
Everest Forms (Pro) <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrar...

Published
Jun 24, 2025
Patched Release
1.9.5
Affected Versions
Versions up to 1.9.4
Next Step
Update to 1.9.5 or newer if supported.
Open Full Report Open CVE Reference