Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending
Description
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.4.8
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-4888 (Everest Forms) ## 1. Vulnerability Summary - **Vulnerability:** Missing Authorization (Capability Check) - **Plugin:** Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (everest-forms) - **Affected Versions:** <= 3.4.7 - **V…
Show full research plan
Exploitation Research Plan - CVE-2026-4888 (Everest Forms)
1. Vulnerability Summary
- Vulnerability: Missing Authorization (Capability Check)
- Plugin: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (everest-forms)
- Affected Versions: <= 3.4.7
- Vulnerable Function:
send_test_email() - Impact: Authenticated attackers with Subscriber-level permissions can send arbitrary emails to any recipient via the server's mail system. This can be used for spamming, phishing, or bypassing IP-based mail reputation filters.
- Cause: The
send_test_email()function, registered as an AJAX action, performs a nonce check but lacks a corresponding capability check (e.g.,current_user_can('manage_options')) to ensure the user has administrative privileges.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
everest_forms_send_test_email(inferred from typical Everest Forms AJAX naming conventions) - HTTP Method: POST
- Authentication: Authenticated (Subscriber or higher)
- Required Parameters:
action:everest_forms_send_test_emailsecurity: A valid nonce for the settings action.email: The destination email address.
- Preconditions: The attacker must have a valid Subscriber account and be able to obtain the nonce typically used for administrative settings.
3. Code Flow
- Registration: In the administrative settings class (likely
EVF_Admin_Settings), the functionsend_test_emailis hooked towp_ajax_everest_forms_send_test_email. - AJAX Request: A Subscriber sends a POST request to
admin-ajax.phpwith the actioneverest_forms_send_test_email. - Nonce Verification: The handler calls
check_ajax_referer( 'everest-forms-settings', 'security' )(inferred). This verifies the request came from a valid session. - Missing Check: The code proceeds directly to processing the email without checking if the user is an administrator.
- Execution: The handler retrieves the
emailparameter from$_POSTand callswp_mail()or a wrapper function to send a "Test Email" to that address.
4. Nonce Acquisition Strategy
To exploit this as a Subscriber, we must find where the everest-forms-settings nonce is localized. Many plugins mistakenly enqueue administrative nonces on all admin dashboard pages for authenticated users.
- Login as Subscriber: Log into the WordPress instance as a Subscriber.
- Access Admin Dashboard: Navigate to
/wp-admin/profile.phpor/wp-admin/index.php. - Inspect Localized Scripts: Everest Forms often localizes data under the variable
evf_settings_paramsoreverest_forms_admin. - Tool Strategy:
- Use
browser_navigateto/wp-admin/index.php. - Use
browser_evalto find the nonce:// Possible candidates for the nonce window.evf_settings_params?.evf_settings_nonce || window.everest_forms_admin?.nonce || window.everest_forms_settings?.nonce - If not found on the main dashboard, check if the plugin enqueues assets on standard pages like
profile.php.
- Use
5. Exploitation Strategy
Once the nonce is obtained:
- Craft Request:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=everest_forms_send_test_email&security=[NONCE]&email=attacker-controlled@example.com
- URL:
- Execute: Use the
http_requesttool to send the payload. - Analyze Response: A successful exploit typically returns a JSON success object:
{"success":true,"data":"Email sent successfully"}.
6. Test Data Setup
- Environment: Install WordPress with Everest Forms version 3.4.7.
- User: Create a user with the
Subscriberrole. - Mail Configuration: Ensure the server is configured to send mail (e.g., using a local mail trap like Mailhog) so the
wp_mail()function doesn't return an error.
7. Expected Results
- The
http_requestshould return a200 OKstatus. - The response body should contain
{"success":true}. - The mail server/trap should receive an email with a subject like "Everest Forms - Test Email".
8. Verification Steps
- Check Response: Confirm the JSON response indicates success.
- WP-CLI Verification: If mail is captured locally, check the mail logs. Alternatively, check the
wp_optionsor logs if the plugin records test email attempts (unlikely for a test function). - Error Case: Attempt the same request without the
securityparameter to confirm the nonce check is active (should return403or-1). - Fix Verification: Repeat the exploit on version 3.4.8. The request should return
403 Forbiddenor a JSON error indicating insufficient permissions.
9. Alternative Approaches
- Action Guessing: If
everest_forms_send_test_emailfails, search the codebase foradd_action( 'wp_ajax_to find the exact registered action for thesend_test_emailfunction. - Nonce Bypass: Check if
check_ajax_refereris called withfalseas the third argument (e.g.,check_ajax_referer( 'action', 'security', false )). If so, the script may not die on failure, and the exploit will work even with an invalid nonce. - Frontend Nonce: If the admin nonce is inaccessible to Subscribers, check if the frontend nonce
everest_forms_ajax_submission_params.evf_ajax_submissionis accepted by the administrative handler (though unlikely due to different action strings).
Summary
The Everest Forms plugin (<= 3.4.7) contains a missing authorization vulnerability in its test email functionality. Specifically, the `send_test_email()` AJAX handler verifies a nonce but lacks a capability check, allowing authenticated users with Subscriber-level permissions or higher to send arbitrary emails from the server.
Vulnerable Code
// File: includes/admin/class-evf-admin-settings.php (inferred) public static function send_test_email() { check_ajax_referer( 'everest-forms-settings', 'security' ); $email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : ''; if ( ! empty( $email ) ) { // Logic to send a test email using wp_mail() proceeds without checking user capabilities $sent = wp_mail( $email, esc_html__( 'Everest Forms - Test Email', 'everest-forms' ), esc_html__( 'This is a test email.', 'everest-forms' ) ); if ( $sent ) { wp_send_json_success(); } } wp_send_json_error(); }
Security Fix
@@ -100,6 +100,10 @@ public static function send_test_email() { check_ajax_referer( 'everest-forms-settings', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'everest-forms' ) ); + } + $email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';
Exploit Outline
To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber. They then inspect the admin dashboard (e.g., profile.php) to find the localized 'everest-forms-settings' nonce, which is often enqueued for all authenticated users in the 'evf_settings_params' or similar JavaScript object. Once the nonce is obtained, the attacker sends an AJAX POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'everest_forms_send_test_email'. By including the stolen nonce in the 'security' parameter and an arbitrary email address in the 'email' parameter, the server will dispatch a test email to that address, as it fails to verify if the requesting user has administrative ('manage_options') privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.