[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIqeiuJrhEh8LhasNcj0WqQOjPg1aV1wMlAV4PyLkrtI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-27070","everest-forms-pro-unauthenticated-stored-cross-site-scripting","Everest Forms Pro \u003C= 1.9.12 - Unauthenticated Stored Cross-Site Scripting","The Everest Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","everest-forms-pro",null,"\u003C=1.9.12","1.9.13","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-12 00:00:00","2026-04-14 14:35:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4f060807-cd59-4558-a30b-00b4b947f3f7?source=api-prod",34,[],"researched",false,3,"This research plan outlines the methodology for analyzing and exploiting the Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Everest Forms Pro (CVE-2026-27070).\n\n## 1. Vulnerability Summary\nEverest Forms Pro (up to 1.9.12) contains a stored XSS vulnerability because it fails to adequately sanitize or escape user-supplied data during form submission and subsequent display in the administrative dashboard. An unauthenticated attacker can submit a form entry containing a malicious script. This script is stored in the database and executes in the context of an administrative user when they view the form entry in the WordPress backend.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `everest_forms_submit_form` (registered for unauthenticated users via `wp_ajax_nopriv_everest_forms_submit_form`).\n*   **Vulnerable Parameter:** The field values within the `everest_forms` array (e.g., `everest_forms[form_id][field_id]`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** A form created with Everest Forms Pro must be published on a public-facing page or post.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An AJAX POST request is sent to `admin-ajax.php` with `action=everest_forms_submit_form`.\n2.  **Handler:** The request is handled by `EVF_Frontend_Form_Handler::submit_form()` (inferred).\n3.  **Processing:** The plugin iterates through the submitted field values in `$_POST['everest_forms']`.\n4.  **Storage:** The unsanitized input is stored in the `wp_evf_entries` table (or similar custom table) via `EVF_Entries_Context::create_entry()`.\n5.  **Sink:** When an administrator visits the \"Entries\" page (`wp-admin\u002Fadmin.php?page=evf-entries`), the plugin retrieves the entry data.\n6.  **Execution:** In the \"Entry Details\" view, the data is echoed back to the screen without using `esc_html()` or `wp_kses()`, triggering the XSS in the admin's browser.\n\n## 4. Nonce Acquisition Strategy\nEverest Forms requires a security nonce for form submissions. This nonce is typically localized in a JavaScript object on any page where a form is embedded.\n\n1.  **Identify Shortcode:** Use `wp-cli` to find or create a form and identify its ID. The shortcode is `[everest_form id=\"FORM_ID\"]`.\n2.  **Create Test Page:** Create a public page containing the shortcode.\n3.  **Extract Nonce via Browser:**\n    *   Navigate to the test page using `browser_navigate`.\n    *   Everest Forms localizes its data in a global object named `everest_forms_params`.\n    *   Execute: `browser_eval(\"window.everest_forms_params?.evf_nonce\")` to retrieve the submission nonce.\n    *   Execute: `browser_eval(\"window.everest_forms_params?.ajax_url\")` to confirm the target endpoint.\n\n## 5. Exploitation Strategy\n### Step 1: Data Gathering\n*   Get the `form_id` of an existing form.\n*   Find the `field_id` for a text or textarea field in that form. Standard IDs are usually integers (e.g., `1`, `2`).\n\n### Step 2: Form Submission (Payload Injection)\nSubmit a malicious POST request using the `http_request` tool.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=everest_forms_submit_form\n    &security=[EXTRACTED_NONCE]\n    &form_id=[FORM_ID]\n    &everest_forms[[FORM_ID]][[FIELD_ID]]=\u003Cimg src=x onerror=\"alert('XSS_SUCCESS')\">\n    ```\n\n### Step 3: Triggering XSS\nThe agent must simulate an admin viewing the entry.\n*   Log in as an admin.\n*   Navigate to `wp-admin\u002Fadmin.php?page=evf-entries`.\n*   Click \"View\" on the latest entry (the URL usually looks like `wp-admin\u002Fadmin.php?page=evf-entries&view=details&entry_id=N`).\n*   Confirm the `alert` or script execution.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure Everest Forms (Lite) and Everest Forms Pro are installed and active.\n2.  **Create Form:** \n    ```bash\n    # Create a basic form via WP-CLI (if the plugin supports it) or use a pre-defined JSON import if available.\n    # Alternatively, use browser_navigate to manually create a simple form if CLI is unavailable.\n    ```\n3.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Contact Us\" --post_status=publish --post_content='[everest_form id=\"1\"]'\n    ```\n\n## 7. Expected Results\n*   The `http_request` for form submission should return a JSON response indicating success (e.g., `{\"success\":true,...}`).\n*   The malicious payload `\u003Cimg src=x onerror=\"...\">` should be stored in the database.\n*   When the admin views the \"Entry Details\" page, the browser should execute the `onerror` event.\n\n## 8. Verification Steps\n1.  **Database Check:**\n    ```bash\n    wp db query \"SELECT meta_value FROM wp_evf_entrymeta WHERE meta_value LIKE '%onerror%';\"\n    ```\n2.  **Dashboard Check:**\n    *   Use `browser_navigate` to the entries list.\n    *   Locate the entry and verify the payload is rendered in the HTML source without escaping:\n    ```javascript\n    \u002F\u002F In browser_eval\n    document.body.innerHTML.includes(\"onerror=\\\"alert('XSS_SUCCESS')\\\"\")\n    ```\n\n## 9. Alternative Approaches\n*   **Pro-Specific Fields:** If a standard text field is sanitized, test Pro-only fields like **Address**, **Date**, or **Hidden Fields**. Address fields often have sub-keys (e.g., `everest_forms[id][field_id][city]`).\n*   **Metadata Exploitation:** Check if the `Referer` or `User-Agent` is tracked by the Pro version and displayed in the admin entry view. If so, inject the payload into the `Referer` header of the submission request.\n*   **Calculation Fields:** If the form uses Calculation fields, attempt to inject the payload through the inputs that feed into the calculation.","Everest Forms Pro versions up to 1.9.12 are vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) due to insufficient sanitization of form submission data. An unauthenticated attacker can submit a form containing malicious scripts that are stored in the database and executed in the context of an administrator's browser when they view the entry in the WordPress dashboard.","--- a\u002Fincludes\u002Fadmin\u002Fentries\u002Fclass-evf-admin-entries-details.php\n+++ b\u002Fincludes\u002Fadmin\u002Fentries\u002Fclass-evf-admin-entries-details.php\n@@ -105,7 +105,7 @@\n \t\t\t\t\t\t\t\t\t\u003Cdiv class=\"evf-entry-field-value\">\n-\t\t\t\t\t\t\t\t\t\t\u003C?php echo $field_value; ?>\n+\t\t\t\t\t\t\t\t\t\t\u003C?php echo wp_kses_post( $field_value ); ?>\n \t\t\t\t\t\t\t\t\t\u003C\u002Fdiv>","To exploit this vulnerability, an attacker first identifies a public-facing page containing an Everest Form. They extract the required submission nonce (evf_nonce) from the 'everest_forms_params' JavaScript object localized on the page. Using this nonce, the attacker sends an unauthenticated AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action set to 'everest_forms_submit_form'. The payload, containing a malicious script such as '\u003Cimg src=x onerror=alert(1)>', is included within the form field parameters (e.g., everest_forms[form_id][field_id]). If the form submission is successful, the payload is stored in the entry metadata. The XSS is triggered when an administrator navigates to the 'Entries' section in the WordPress backend and clicks to view the details of the malicious submission.","gemini-3-flash-preview","2026-04-18 04:03:30","2026-04-18 04:04:02",{"type":33,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms-pro\u002Ftags"]