๐Ÿ” CVE Alert

CVE-2026-11571

HIGH 7.5

Everest Forms < 3.5.0 - Unauthenticated Sensitive Information Exposure via Residual CSV Artifacts

CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
4th

The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.

Vendor unknown
Product everest forms
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for unknown everest forms

Be the first to know when new high vulnerabilities affecting unknown everest forms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Everest Forms
0 < 3.5.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/4bd381e9-2f4e-4e61-99af-88f50aed71f5/

Credits

Duy Tran WPScan