Cyber Posture

CVE-2026-5478

High

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5478 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires updating the vulnerable Everest Forms plugin beyond version 3.4.4, directly preventing exploitation of the path traversal vulnerability as specified in the available patch.

SI-10 Information Input Validation good match
prevent

Information input validation on the attacker-controlled old_files parameter prevents injection of path-traversal payloads that resolve to arbitrary local filesystem paths without canonicalization.

AC-3 Access Enforcement good match
prevent

Access enforcement ensures the plugin only permits read and delete operations on authorized file paths, blocking unauthorized access to sensitive files like wp-config.php.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing WordPress plugin enables T1190 via unauthenticated form submission, T1005 for arbitrary local file reads (e.g., wp-config.php), and T1485 for file deletion causing DoS on critical files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Everest Forms plugin for WordPress is vulnerable to Arbitrary File Read and Deletion in all versions up to, and including, 3.4.4. This is due to the plugin trusting attacker-controlled old_files data from public form submissions as legitimate server-side upload…

more

state, and converting attacker-supplied URLs into local filesystem paths using regex-based string replacement without canonicalization or directory boundary enforcement. This makes it possible for unauthenticated attackers to read arbitrary local files (e.g., wp-config.php) by injecting path-traversal payloads into the old_files upload field parameter, which are then attached to notification emails. The same path resolution is also used in the post-email cleanup routine, which calls unlink() on the resolved path, resulting in the targeted file being deleted after being attached. This can lead to full site compromise through disclosure of database credentials and authentication salts from wp-config.php, and denial of service through deletion of critical files. Prerequisite: The form must contain a file-upload or image-upload field, and disable storing entry information.

Deeper analysisAI

The Everest Forms plugin for WordPress, in all versions up to and including 3.4.4, is vulnerable to arbitrary file read and deletion (CVE-2026-5478, published 2026-04-20). The flaw arises because the plugin trusts attacker-controlled "old_files" data from public form submissions as legitimate server-side upload state. It then converts attacker-supplied URLs into local filesystem paths via regex-based string replacement, without canonicalization or directory boundary enforcement.

Unauthenticated attackers can exploit this vulnerability (AV:N/PR:N) by injecting path-traversal payloads into the "old_files" upload field parameter of a form containing a file-upload or image-upload field with entry information storage disabled. The payloads resolve to arbitrary local files, such as wp-config.php, which are attached to notification emails for disclosure of sensitive data like database credentials and authentication salts. A subsequent post-email cleanup routine invokes unlink() on the resolved paths, enabling file deletion and potential denial of service against critical files. This can result in full site compromise, with a CVSS v3.1 base score of 8.1 (AC:H/UI:N/S:U/C:H/I:H/A:H) and association to CWE-22 (Path Traversal).

Mitigation requires updating the Everest Forms plugin beyond version 3.4.4. A patch is available in WordPress plugin trac changeset 3507814. Further details appear in the plugin source code at lines 1306, 1581, and 1665 of class-evf-form-fields-upload.php (tag 3.4.4) and the Wordfence threat intelligence report.

Details

CWE(s)
CWE-22

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-54291Shared CWE-22
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-14868Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2025-10559Shared CWE-22
CVE-2024-8898Shared CWE-22
CVE-2025-67076Shared CWE-22
CVE-2026-5258Shared CWE-22

References