CVE-2025-1128: Critical Vulnerability in Everest Forms Plugin for WordPress Allows Arbitrary File Upload, Read, and Deletion

Everest Forms, a popular plugin for WordPress, is designed to allow users to easily create and manage various types of forms including contact forms, quizzes, surveys, newsletters, and payment forms. Unfortunately, a critical vulnerability has been discovered in the plugin, leaving millions of websites at risk. Specifically, the vulnerability affects all versions up to, and including, 3..9.4 of the plugin.

The vulnerability, designated as CVE-2025-1128, allows unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server. Exploiting this vulnerability could potentially allow remote code execution, sensitive information disclosure, or even a complete site takeover. In this post, we will discuss the technical details of the vulnerability, provide a proof-of-concept exploit, and guide you in applying a fix to your WordPress site.

Vulnerability Details

In the EVF_Form_Fields_Upload class of the Everest Forms plugin, a method called 'format' is responsible for handling file uploads to the server. However, the vulnerability is caused by the method's missing file type and path validation, which can be exploited by an attacker to upload, read, and delete malicious arbitrary files on the server.

The following code snippet demonstrates the security hole present in the 'format' function

public function format( $field_data, $entry_id, $form_id ) {
    $uploaded_files = array();

    if ( isset( $field_data['value'] ) ) {
        foreach ( $field_data['value'] as $key => $value ) {
            $uploaded_files[] = evf_clean( wp_get_attachment_url( $value ) );
        }
    }

    return $uploaded_files;
}

Notice that the code is missing checks for file type, extension, and path validation.

Exploit Details

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable WordPress site. The following is an example of how an attacker could craft their malicious request:

POST /wp-json/everest/v1/forms/<form_id>/submit HTTP/1.1
Host: vulnerable-website.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZugW

------WebKitFormBoundary7MA4YWxkTrZugW
Content-Disposition: form-data; name="uploads[<field_id_1>]"; filename="<malicious_filename.ext>"
Content-Type: <malicious_content_type>

<malicious_file_contents>
------WebKitFormBoundary7MA4YWxkTrZugW--

By sending this HTTP request, the attacker can bypass the validation checks and successfully upload a malicious file to the server.

Mitigation Steps

It is crucial for WordPress site administrators to take immediate action to protect their websites from this critical vulnerability. The steps below outline the necessary actions to safeguard your site:

1. Upgrade your Everest Forms plugin to version 3.1. or newer. You can download the latest version from the plugin's official page.

2. If you cannot immediately upgrade your plugin, implement a temporary security measure by using a Web Application Firewall (WAF) that blocks malicious requests targeting the 'format' method in the EVF_Form_Fields_Upload class.

3. Regularly check the CVE Details page and the plugin's changelog for updates on this vulnerability.

4. Actively monitor your server logs for any suspicious activity that could be indicative of a successful exploit.

By taking these preventative measures, you can significantly reduce the risk of your WordPress site falling victim to an attacker exploiting CVE-2025-1128. Always remember that the security of your website is vital not only for its functionality but also for the protection of your site's users and their sensitive information.

Timeline

Published on: 02/25/2025 07:15:18 UTC