Everest Forms Pro <= 1.9.12 - Unauthenticated Stored Cross-Site Scripting
Description
The Everest Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.9.12This research plan outlines the methodology for analyzing and exploiting the Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Everest Forms Pro (CVE-2026-27070). ## 1. Vulnerability Summary Everest Forms Pro (up to 1.9.12) contains a stored XSS vulnerability because it fails to ad…
Show full research plan
This research plan outlines the methodology for analyzing and exploiting the Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Everest Forms Pro (CVE-2026-27070).
1. Vulnerability Summary
Everest Forms Pro (up to 1.9.12) contains a stored XSS vulnerability because it fails to adequately sanitize or escape user-supplied data during form submission and subsequent display in the administrative dashboard. An unauthenticated attacker can submit a form entry containing a malicious script. This script is stored in the database and executes in the context of an administrative user when they view the form entry in the WordPress backend.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
everest_forms_submit_form(registered for unauthenticated users viawp_ajax_nopriv_everest_forms_submit_form). - Vulnerable Parameter: The field values within the
everest_formsarray (e.g.,everest_forms[form_id][field_id]). - Authentication: None (Unauthenticated).
- Preconditions: A form created with Everest Forms Pro must be published on a public-facing page or post.
3. Code Flow (Inferred)
- Entry Point: An AJAX POST request is sent to
admin-ajax.phpwithaction=everest_forms_submit_form. - Handler: The request is handled by
EVF_Frontend_Form_Handler::submit_form()(inferred). - Processing: The plugin iterates through the submitted field values in
$_POST['everest_forms']. - Storage: The unsanitized input is stored in the
wp_evf_entriestable (or similar custom table) viaEVF_Entries_Context::create_entry(). - Sink: When an administrator visits the "Entries" page (
wp-admin/admin.php?page=evf-entries), the plugin retrieves the entry data. - Execution: In the "Entry Details" view, the data is echoed back to the screen without using
esc_html()orwp_kses(), triggering the XSS in the admin's browser.
4. Nonce Acquisition Strategy
Everest Forms requires a security nonce for form submissions. This nonce is typically localized in a JavaScript object on any page where a form is embedded.
- Identify Shortcode: Use
wp-clito find or create a form and identify its ID. The shortcode is[everest_form id="FORM_ID"]. - Create Test Page: Create a public page containing the shortcode.
- Extract Nonce via Browser:
- Navigate to the test page using
browser_navigate. - Everest Forms localizes its data in a global object named
everest_forms_params. - Execute:
browser_eval("window.everest_forms_params?.evf_nonce")to retrieve the submission nonce. - Execute:
browser_eval("window.everest_forms_params?.ajax_url")to confirm the target endpoint.
- Navigate to the test page using
5. Exploitation Strategy
Step 1: Data Gathering
- Get the
form_idof an existing form. - Find the
field_idfor a text or textarea field in that form. Standard IDs are usually integers (e.g.,1,2).
Step 2: Form Submission (Payload Injection)
Submit a malicious POST request using the http_request tool.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Body:
action=everest_forms_submit_form &security=[EXTRACTED_NONCE] &form_id=[FORM_ID] &everest_forms[[FORM_ID]][[FIELD_ID]]=<img src=x onerror="alert('XSS_SUCCESS')">
Step 3: Triggering XSS
The agent must simulate an admin viewing the entry.
- Log in as an admin.
- Navigate to
wp-admin/admin.php?page=evf-entries. - Click "View" on the latest entry (the URL usually looks like
wp-admin/admin.php?page=evf-entries&view=details&entry_id=N). - Confirm the
alertor script execution.
6. Test Data Setup
- Install Plugin: Ensure Everest Forms (Lite) and Everest Forms Pro are installed and active.
- Create Form:
# Create a basic form via WP-CLI (if the plugin supports it) or use a pre-defined JSON import if available. # Alternatively, use browser_navigate to manually create a simple form if CLI is unavailable. - Create Page:
wp post create --post_type=page --post_title="Contact Us" --post_status=publish --post_content='[everest_form id="1"]'
7. Expected Results
- The
http_requestfor form submission should return a JSON response indicating success (e.g.,{"success":true,...}). - The malicious payload
<img src=x onerror="...">should be stored in the database. - When the admin views the "Entry Details" page, the browser should execute the
onerrorevent.
8. Verification Steps
- Database Check:
wp db query "SELECT meta_value FROM wp_evf_entrymeta WHERE meta_value LIKE '%onerror%';" - Dashboard Check:
- Use
browser_navigateto the entries list. - Locate the entry and verify the payload is rendered in the HTML source without escaping:
// In browser_eval document.body.innerHTML.includes("onerror=\"alert('XSS_SUCCESS')\"") - Use
9. Alternative Approaches
- Pro-Specific Fields: If a standard text field is sanitized, test Pro-only fields like Address, Date, or Hidden Fields. Address fields often have sub-keys (e.g.,
everest_forms[id][field_id][city]). - Metadata Exploitation: Check if the
RefererorUser-Agentis tracked by the Pro version and displayed in the admin entry view. If so, inject the payload into theRefererheader of the submission request. - Calculation Fields: If the form uses Calculation fields, attempt to inject the payload through the inputs that feed into the calculation.
Summary
Everest Forms Pro versions up to 1.9.12 are vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) due to insufficient sanitization of form submission data. An unauthenticated attacker can submit a form containing malicious scripts that are stored in the database and executed in the context of an administrator's browser when they view the entry in the WordPress dashboard.
Security Fix
@@ -105,7 +105,7 @@ <div class="evf-entry-field-value"> - <?php echo $field_value; ?> + <?php echo wp_kses_post( $field_value ); ?> </div>
Exploit Outline
To exploit this vulnerability, an attacker first identifies a public-facing page containing an Everest Form. They extract the required submission nonce (evf_nonce) from the 'everest_forms_params' JavaScript object localized on the page. Using this nonce, the attacker sends an unauthenticated AJAX POST request to '/wp-admin/admin-ajax.php' with the action set to 'everest_forms_submit_form'. The payload, containing a malicious script such as '<img src=x onerror=alert(1)>', is included within the form field parameters (e.g., everest_forms[form_id][field_id]). If the form submission is successful, the payload is stored in the entry metadata. The XSS is triggered when an administrator navigates to the 'Entries' section in the WordPress backend and clicks to view the details of the malicious submission.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.