CVE-2025-1128
Published: 25 February 2025
Summary
CVE-2025-1128 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpeverest Everest Forms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching the EVF_Form_Fields_Upload class directly eliminates the missing file type and path validation vulnerability.
Information input validation enforces checks on file types and paths in upload processing, preventing arbitrary file upload, read, and deletion exploits.
Malicious code protection scans and blocks execution of uploaded dangerous files like webshells, mitigating remote code execution from the unrestricted uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated arbitrary file upload (CWE-434) on public-facing WordPress plugin enables T1190 exploitation and subsequent web shell deployment (T1505.003) for RCE.
NVD Description
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of…
more
the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
Deeper analysisAI
CVE-2025-2025-1128 is a critical vulnerability in the Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin, affecting all versions up to and including 3.0.9.4. The issue stems from missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class, enabling arbitrary file upload, read, and deletion on the affected site's server. It is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By leveraging the flawed validation, they can upload malicious files (such as webshells), read sensitive configuration files or databases, and delete critical components, potentially resulting in remote code execution, sensitive information disclosure, or complete site takeover.
Patches addressing this vulnerability are available in the plugin repository, including GitHub commit 7d37858d2c614aa107b0f495fe50819a3867e7f5, pull request 1406/files, and WordPress plugin trac changesets 3237831 (in includes/abstracts/class-evf-form-fields-upload.php) and 3243663. Security practitioners should urge site administrators to update the plugin immediately, with further details provided in Wordfence threat intelligence at the referenced URL.
Details
- CWE(s)