CVE-2025-1128

CVE-2025-2025-1128 is a critical vulnerability in the Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin, affecting all versions up to and including 3.0.9.4. The issue stems from missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class, enabling arbitrary file upload, read, and deletion on the affected site's server. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By leveraging the flawed validation, they can upload malicious files (such as webshells), read sensitive configuration files or databases, and delete critical components, potentially resulting in remote code execution, sensitive information disclosure, or complete site takeover.

Patches addressing this vulnerability are available in the plugin repository, including GitHub commit 7d37858d2c614aa107b0f495fe50819a3867e7f5, pull request 1406/files, and WordPress plugin trac changesets 3237831 (in includes/abstracts/class-evf-form-fields-upload.php) and 3243663. Security practitioners should urge site administrators to update the plugin immediately, with further details provided in Wordfence threat intelligence at the referenced URL.