Cyber Resilience

CVE-2025-1128

Critical

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1144 93.8th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1128 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpeverest Everest Forms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Everest Forms plugin for WordPress, which provides contact form, quiz, survey, and payment capabilities, contains an arbitrary file upload, read, and deletion flaw in all versions through 3.0.9.4. The root cause is missing file-type and path validation inside the format method of the EVF_Form_Fields_Upload class, allowing an attacker to supply arbitrary paths and extensions when handling form uploads.

Unauthenticated remote attackers can exploit the issue over the network to upload, read, or delete any file on the server. Successful abuse can result in remote code execution, disclosure of sensitive data such as configuration files or database credentials, or complete site takeover, consistent with the CVSS 9.8 rating.

Public references point to patches that add proper validation and restrict allowed file operations; the fixes appear in commit 7d37858 and subsequent WordPress.org plugin changesets that update the affected class. Site operators should upgrade to a version newer than 3.0.9.4 and verify that file-upload directories remain outside the web root.

The associated EPSS score has remained flat at 0.1144 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of…

more

the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct unauthenticated arbitrary file upload (CWE-434) on public-facing WordPress plugin enables T1190 exploitation and subsequent web shell deployment (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

wpeverest
everest forms
≤ 3.0.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching the EVF_Form_Fields_Upload class directly eliminates the missing file type and path validation vulnerability.

prevent

Information input validation enforces checks on file types and paths in upload processing, preventing arbitrary file upload, read, and deletion exploits.

preventdetect

Malicious code protection scans and blocks execution of uploaded dangerous files like webshells, mitigating remote code execution from the unrestricted uploads.

References