CVE-2025-1128
Published: 25 February 2025
Summary
CVE-2025-1128 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpeverest Everest Forms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Everest Forms plugin for WordPress, which provides contact form, quiz, survey, and payment capabilities, contains an arbitrary file upload, read, and deletion flaw in all versions through 3.0.9.4. The root cause is missing file-type and path validation inside the format method of the EVF_Form_Fields_Upload class, allowing an attacker to supply arbitrary paths and extensions when handling form uploads.
Unauthenticated remote attackers can exploit the issue over the network to upload, read, or delete any file on the server. Successful abuse can result in remote code execution, disclosure of sensitive data such as configuration files or database credentials, or complete site takeover, consistent with the CVSS 9.8 rating.
Public references point to patches that add proper validation and restrict allowed file operations; the fixes appear in commit 7d37858 and subsequent WordPress.org plugin changesets that update the affected class. Site operators should upgrade to a version newer than 3.0.9.4 and verify that file-upload directories remain outside the web root.
The associated EPSS score has remained flat at 0.1144 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5070
Vulnerability details
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of…
more
the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated arbitrary file upload (CWE-434) on public-facing WordPress plugin enables T1190 exploitation and subsequent web shell deployment (T1505.003) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through patching the EVF_Form_Fields_Upload class directly eliminates the missing file type and path validation vulnerability.
Information input validation enforces checks on file types and paths in upload processing, preventing arbitrary file upload, read, and deletion exploits.
Malicious code protection scans and blocks execution of uploaded dangerous files like webshells, mitigating remote code execution from the unrestricted uploads.