CVE-2026-5478 - Everest Forms WordPress Plugin - Path Traversal

Overview

Everest Forms WordPress plugin <= 3.4.4 contains a path traversal vulnerability caused by unsafe handling of attacker-controlled old_files data in file upload processing, letting unauthenticated attackers read and delete arbitrary local files, exploit requires a form with file-upload or image-upload field and disabled entry storage.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can read sensitive files and delete critical files, leading to full site compromise and denial of service.

Mitigation

Update to a version later than 3.4.4 or the latest available version.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-5478 - High (8.1) The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5478/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-5478 - High (8.1) The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5478/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-5478 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score