CVE-2026-4888

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.4.8
Patched in
1d
Time to patch

Description

The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.7
PublishedMay 27, 2026
Last updatedMay 27, 2026
Affected plugineverest-forms

What Changed in the Fix

Changes introduced in v3.4.8

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-4888 (Everest Forms) ## 1. Vulnerability Summary - **Vulnerability:** Missing Authorization (Capability Check) - **Plugin:** Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (everest-forms) - **Affected Versions:** <= 3.4.7 - **V…

Show full research plan

Exploitation Research Plan - CVE-2026-4888 (Everest Forms)

1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Capability Check)
  • Plugin: Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (everest-forms)
  • Affected Versions: <= 3.4.7
  • Vulnerable Function: send_test_email()
  • Impact: Authenticated attackers with Subscriber-level permissions can send arbitrary emails to any recipient via the server's mail system. This can be used for spamming, phishing, or bypassing IP-based mail reputation filters.
  • Cause: The send_test_email() function, registered as an AJAX action, performs a nonce check but lacks a corresponding capability check (e.g., current_user_can('manage_options')) to ensure the user has administrative privileges.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: everest_forms_send_test_email (inferred from typical Everest Forms AJAX naming conventions)
  • HTTP Method: POST
  • Authentication: Authenticated (Subscriber or higher)
  • Required Parameters:
    • action: everest_forms_send_test_email
    • security: A valid nonce for the settings action.
    • email: The destination email address.
  • Preconditions: The attacker must have a valid Subscriber account and be able to obtain the nonce typically used for administrative settings.

3. Code Flow

  1. Registration: In the administrative settings class (likely EVF_Admin_Settings), the function send_test_email is hooked to wp_ajax_everest_forms_send_test_email.
  2. AJAX Request: A Subscriber sends a POST request to admin-ajax.php with the action everest_forms_send_test_email.
  3. Nonce Verification: The handler calls check_ajax_referer( 'everest-forms-settings', 'security' ) (inferred). This verifies the request came from a valid session.
  4. Missing Check: The code proceeds directly to processing the email without checking if the user is an administrator.
  5. Execution: The handler retrieves the email parameter from $_POST and calls wp_mail() or a wrapper function to send a "Test Email" to that address.

4. Nonce Acquisition Strategy

To exploit this as a Subscriber, we must find where the everest-forms-settings nonce is localized. Many plugins mistakenly enqueue administrative nonces on all admin dashboard pages for authenticated users.

  1. Login as Subscriber: Log into the WordPress instance as a Subscriber.
  2. Access Admin Dashboard: Navigate to /wp-admin/profile.php or /wp-admin/index.php.
  3. Inspect Localized Scripts: Everest Forms often localizes data under the variable evf_settings_params or everest_forms_admin.
  4. Tool Strategy:
    • Use browser_navigate to /wp-admin/index.php.
    • Use browser_eval to find the nonce:
      // Possible candidates for the nonce
      window.evf_settings_params?.evf_settings_nonce || 
      window.everest_forms_admin?.nonce ||
      window.everest_forms_settings?.nonce
      
    • If not found on the main dashboard, check if the plugin enqueues assets on standard pages like profile.php.

5. Exploitation Strategy

Once the nonce is obtained:

  1. Craft Request:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=everest_forms_send_test_email&security=[NONCE]&email=attacker-controlled@example.com
  2. Execute: Use the http_request tool to send the payload.
  3. Analyze Response: A successful exploit typically returns a JSON success object: {"success":true,"data":"Email sent successfully"}.

6. Test Data Setup

  1. Environment: Install WordPress with Everest Forms version 3.4.7.
  2. User: Create a user with the Subscriber role.
  3. Mail Configuration: Ensure the server is configured to send mail (e.g., using a local mail trap like Mailhog) so the wp_mail() function doesn't return an error.

7. Expected Results

  • The http_request should return a 200 OK status.
  • The response body should contain {"success":true}.
  • The mail server/trap should receive an email with a subject like "Everest Forms - Test Email".

8. Verification Steps

  1. Check Response: Confirm the JSON response indicates success.
  2. WP-CLI Verification: If mail is captured locally, check the mail logs. Alternatively, check the wp_options or logs if the plugin records test email attempts (unlikely for a test function).
  3. Error Case: Attempt the same request without the security parameter to confirm the nonce check is active (should return 403 or -1).
  4. Fix Verification: Repeat the exploit on version 3.4.8. The request should return 403 Forbidden or a JSON error indicating insufficient permissions.

9. Alternative Approaches

  • Action Guessing: If everest_forms_send_test_email fails, search the codebase for add_action( 'wp_ajax_ to find the exact registered action for the send_test_email function.
  • Nonce Bypass: Check if check_ajax_referer is called with false as the third argument (e.g., check_ajax_referer( 'action', 'security', false )). If so, the script may not die on failure, and the exploit will work even with an invalid nonce.
  • Frontend Nonce: If the admin nonce is inaccessible to Subscribers, check if the frontend nonce everest_forms_ajax_submission_params.evf_ajax_submission is accepted by the administrative handler (though unlikely due to different action strings).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Everest Forms plugin (<= 3.4.7) contains a missing authorization vulnerability in its test email functionality. Specifically, the `send_test_email()` AJAX handler verifies a nonce but lacks a capability check, allowing authenticated users with Subscriber-level permissions or higher to send arbitrary emails from the server.

Vulnerable Code

// File: includes/admin/class-evf-admin-settings.php (inferred)
public static function send_test_email() {
    check_ajax_referer( 'everest-forms-settings', 'security' );

    $email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';

    if ( ! empty( $email ) ) {
        // Logic to send a test email using wp_mail() proceeds without checking user capabilities
        $sent = wp_mail( $email, esc_html__( 'Everest Forms - Test Email', 'everest-forms' ), esc_html__( 'This is a test email.', 'everest-forms' ) );
        if ( $sent ) {
            wp_send_json_success();
        }
    }
    wp_send_json_error();
}

Security Fix

--- includes/admin/class-evf-admin-settings.php
+++ includes/admin/class-evf-admin-settings.php
@@ -100,6 +100,10 @@
 	public static function send_test_email() {
 		check_ajax_referer( 'everest-forms-settings', 'security' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'everest-forms' ) );
+		}
+
 		$email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';

Exploit Outline

To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber. They then inspect the admin dashboard (e.g., profile.php) to find the localized 'everest-forms-settings' nonce, which is often enqueued for all authenticated users in the 'evf_settings_params' or similar JavaScript object. Once the nonce is obtained, the attacker sends an AJAX POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'everest_forms_send_test_email'. By including the stolen nonce in the 'security' parameter and an arbitrary email address in the 'email' parameter, the server will dispatch a test email to that address, as it fails to verify if the requesting user has administrative ('manage_options') privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.