Summary: A critical security vulnerability, CVE-2025-1128, has been identified in the Everest Forms WordPress plugin that affects over 100,000 websites, allowing unauthenticated attackers to upload files, execute remote code, and potentially delete essential configuration files. The plugin, used widely for forms and surveys, suffers from inadequate file validation, increasing the risk of complete site compromise. Users are urged to update to version 3.0.9.5 immediately following the responsible disclosure by security researcher Arkadiusz Hydzik.
Affected: Everest Forms Plugin for WordPress
Keypoints :
- Vulnerability allows arbitrary file uploads, remote code execution, and deletion of critical files.
- CVSS score of 9.8 indicates a high level of severity.
- Wordfence issued an urgent advisory for users to update to version 3.0.9.5.
- The vulnerability stems from insufficient file type and path validation in the pluginβs code.
- Immediate actions recommended include updating the plugin, monitoring for suspicious activity, and reviewing file permissions.
Views: 11