[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLk9TJIV57S81ULT559tRBoMe5ZgLoyUomElxmByc3FI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4888","everest-forms-contact-form-payment-form-quiz-survey-custom-form-builder-missing-authorization-to-authenticated-subscribe","Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder \u003C= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending","The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.","everest-forms",null,"\u003C=3.4.7","3.4.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 10:58:29","2026-05-27 23:26:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8bced7df-3e1a-4d7b-9ad0-64be5e18900f?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin-rtl.css","assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.scss","assets\u002Fjs\u002Ffrontend\u002Fajax-submission.js","assets\u002Fjs\u002Ffrontend\u002Fajax-submission.min.js","everest-forms.php","includes\u002Fabstracts\u002Fclass-evf-form-fields-upload.php","includes\u002Fclass-everest-forms.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-4888 (Everest Forms)\n\n## 1. Vulnerability Summary\n- **Vulnerability:** Missing Authorization (Capability Check)\n- **Plugin:** Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder (everest-forms)\n- **Affected Versions:** \u003C= 3.4.7\n- **Vulnerable Function:** `send_test_email()`\n- **Impact:** Authenticated attackers with Subscriber-level permissions can send arbitrary emails to any recipient via the server's mail system. This can be used for spamming, phishing, or bypassing IP-based mail reputation filters.\n- **Cause:** The `send_test_email()` function, registered as an AJAX action, performs a nonce check but lacks a corresponding capability check (e.g., `current_user_can('manage_options')`) to ensure the user has administrative privileges.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `everest_forms_send_test_email` (inferred from typical Everest Forms AJAX naming conventions)\n- **HTTP Method:** POST\n- **Authentication:** Authenticated (Subscriber or higher)\n- **Required Parameters:**\n  - `action`: `everest_forms_send_test_email`\n  - `security`: A valid nonce for the settings action.\n  - `email`: The destination email address.\n- **Preconditions:** The attacker must have a valid Subscriber account and be able to obtain the nonce typically used for administrative settings.\n\n## 3. Code Flow\n1. **Registration:** In the administrative settings class (likely `EVF_Admin_Settings`), the function `send_test_email` is hooked to `wp_ajax_everest_forms_send_test_email`.\n2. **AJAX Request:** A Subscriber sends a POST request to `admin-ajax.php` with the action `everest_forms_send_test_email`.\n3. **Nonce Verification:** The handler calls `check_ajax_referer( 'everest-forms-settings', 'security' )` (inferred). This verifies the request came from a valid session.\n4. **Missing Check:** The code proceeds directly to processing the email without checking if the user is an administrator.\n5. **Execution:** The handler retrieves the `email` parameter from `$_POST` and calls `wp_mail()` or a wrapper function to send a \"Test Email\" to that address.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as a Subscriber, we must find where the `everest-forms-settings` nonce is localized. Many plugins mistakenly enqueue administrative nonces on all admin dashboard pages for authenticated users.\n\n1. **Login as Subscriber:** Log into the WordPress instance as a Subscriber.\n2. **Access Admin Dashboard:** Navigate to `\u002Fwp-admin\u002Fprofile.php` or `\u002Fwp-admin\u002Findex.php`.\n3. **Inspect Localized Scripts:** Everest Forms often localizes data under the variable `evf_settings_params` or `everest_forms_admin`.\n4. **Tool Strategy:**\n   - Use `browser_navigate` to `\u002Fwp-admin\u002Findex.php`.\n   - Use `browser_eval` to find the nonce:\n     ```javascript\n     \u002F\u002F Possible candidates for the nonce\n     window.evf_settings_params?.evf_settings_nonce || \n     window.everest_forms_admin?.nonce ||\n     window.everest_forms_settings?.nonce\n     ```\n   - If not found on the main dashboard, check if the plugin enqueues assets on standard pages like `profile.php`.\n\n## 5. Exploitation Strategy\nOnce the nonce is obtained:\n1. **Craft Request:**\n   - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Method:** `POST`\n   - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body:** `action=everest_forms_send_test_email&security=[NONCE]&email=attacker-controlled@example.com`\n2. **Execute:** Use the `http_request` tool to send the payload.\n3. **Analyze Response:** A successful exploit typically returns a JSON success object: `{\"success\":true,\"data\":\"Email sent successfully\"}`.\n\n## 6. Test Data Setup\n1. **Environment:** Install WordPress with Everest Forms version 3.4.7.\n2. **User:** Create a user with the `Subscriber` role.\n3. **Mail Configuration:** Ensure the server is configured to send mail (e.g., using a local mail trap like Mailhog) so the `wp_mail()` function doesn't return an error.\n\n## 7. Expected Results\n- The `http_request` should return a `200 OK` status.\n- The response body should contain `{\"success\":true}`.\n- The mail server\u002Ftrap should receive an email with a subject like \"Everest Forms - Test Email\".\n\n## 8. Verification Steps\n1. **Check Response:** Confirm the JSON response indicates success.\n2. **WP-CLI Verification:** If mail is captured locally, check the mail logs. Alternatively, check the `wp_options` or logs if the plugin records test email attempts (unlikely for a test function).\n3. **Error Case:** Attempt the same request without the `security` parameter to confirm the nonce check is active (should return `403` or `-1`).\n4. **Fix Verification:** Repeat the exploit on version 3.4.8. The request should return `403 Forbidden` or a JSON error indicating insufficient permissions.\n\n## 9. Alternative Approaches\n- **Action Guessing:** If `everest_forms_send_test_email` fails, search the codebase for `add_action( 'wp_ajax_` to find the exact registered action for the `send_test_email` function.\n- **Nonce Bypass:** Check if `check_ajax_referer` is called with `false` as the third argument (e.g., `check_ajax_referer( 'action', 'security', false )`). If so, the script may not die on failure, and the exploit will work even with an invalid nonce.\n- **Frontend Nonce:** If the admin nonce is inaccessible to Subscribers, check if the frontend nonce `everest_forms_ajax_submission_params.evf_ajax_submission` is accepted by the administrative handler (though unlikely due to different action strings).","The Everest Forms plugin (\u003C= 3.4.7) contains a missing authorization vulnerability in its test email functionality. Specifically, the `send_test_email()` AJAX handler verifies a nonce but lacks a capability check, allowing authenticated users with Subscriber-level permissions or higher to send arbitrary emails from the server.","\u002F\u002F File: includes\u002Fadmin\u002Fclass-evf-admin-settings.php (inferred)\npublic static function send_test_email() {\n    check_ajax_referer( 'everest-forms-settings', 'security' );\n\n    $email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';\n\n    if ( ! empty( $email ) ) {\n        \u002F\u002F Logic to send a test email using wp_mail() proceeds without checking user capabilities\n        $sent = wp_mail( $email, esc_html__( 'Everest Forms - Test Email', 'everest-forms' ), esc_html__( 'This is a test email.', 'everest-forms' ) );\n        if ( $sent ) {\n            wp_send_json_success();\n        }\n    }\n    wp_send_json_error();\n}","--- includes\u002Fadmin\u002Fclass-evf-admin-settings.php\n+++ includes\u002Fadmin\u002Fclass-evf-admin-settings.php\n@@ -100,6 +100,10 @@\n \tpublic static function send_test_email() {\n \t\tcheck_ajax_referer( 'everest-forms-settings', 'security' );\n \n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'everest-forms' ) );\n+\t\t}\n+\n \t\t$email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';","To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber. They then inspect the admin dashboard (e.g., profile.php) to find the localized 'everest-forms-settings' nonce, which is often enqueued for all authenticated users in the 'evf_settings_params' or similar JavaScript object. Once the nonce is obtained, the attacker sends an AJAX POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint with the 'action' parameter set to 'everest_forms_send_test_email'. By including the stolen nonce in the 'security' parameter and an arbitrary email address in the 'email' parameter, the server will dispatch a test email to that address, as it fails to verify if the requesting user has administrative ('manage_options') privileges.","gemini-3-flash-preview","2026-06-04 17:20:05","2026-06-04 17:21:04",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags\u002F3.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feverest-forms.3.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags\u002F3.4.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feverest-forms.3.4.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms\u002Ftags"]