Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total12
Critical4
High2
Medium5
Reset
Showing 1-12 of 12 records
Threat Entry Updated 2026-04-08

CVE-2026-3296 - Everest Forms Plugin

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table.…

PLUGIN Everest Forms

CVE-2026-3296

CRITICAL CVSS 9.8 2026-04-08
Open Full Technical Breakdown
Threat Entry Updated 2026-04-01

CVE-2026-3300 - Everest Forms Plugin

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted…

PLUGIN Everest Forms

CVE-2026-3300

CRITICAL CVSS 9.8 2026-03-31
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-5927 - Everest Forms Plugin

The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.

PLUGIN Everest Forms

CVE-2025-5927

HIGH CVSS 7.5 2025-06-25
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2024-8542 - Everest Forms Plugin

The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Everest Forms

CVE-2024-8542

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2025-3439 - Everest Forms Plugin

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input from the 'field_value' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present…

PLUGIN Everest Forms

CVE-2025-3439

CRITICAL CVSS 9.8 2025-04-11
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2025-3421 - Everest Forms Plugin

The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Everest Forms

CVE-2025-3421

MEDIUM CVSS 6.1 2025-04-11
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2025-3422 - Everest Forms Plugin

The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN Everest Forms

CVE-2025-3422

MEDIUM CVSS 5.4 2025-04-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1128 - Everest Forms Plugin

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

PLUGIN Everest Forms

CVE-2025-1128

CRITICAL CVSS 9.8 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-13125 - Everest Forms Plugin

The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Everest Forms

CVE-2024-13125

LOW CVSS 3.5 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10471 - Everest Forms Plugin

The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Everest Forms

CVE-2024-10471

MEDIUM CVSS 4.8 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-1812 - Everest Forms Plugin

The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Everest Forms

CVE-2024-1812

HIGH CVSS 7.2 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24907 - Everest Forms Plugin

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

PLUGIN Everest Forms

CVE-2021-24907

MEDIUM CVSS 6.1 2021-12-21
Open Full Technical Breakdown
Scroll to top