CVE-2026-11571
Everest Forms < 3.5.0 - Unauthenticated Sensitive Information Exposure via Residual CSV Artifacts
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
4th
The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.
| Vendor | unknown |
| Product | everest forms |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown everest forms
Be the first to know when new high vulnerabilities affecting unknown everest forms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Everest Forms
0 < 3.5.0
References
Credits
Duy Tran WPScan