Skip to content

Critical flaw in Everest Forms WordPress plugin allows full site takeover

  • by
  • 2 min read

A critical security vulnerability tracked as CVE-2025-1128 (CVSS score of 9.8) has been discovered in Everest Forms, a widely used WordPress plugin with over 100,000 active installations. This flaw allows unauthenticated hackers to upload, read, and delete arbitrary files on a compromised website, leading to remote code execution (RCE) and, ultimately, full site takeover.

ThemeGrill, the company behind the plugin, released a patched version, 3.0.9.5, addressing the vulnerability. Users are urged to immediately apply the latest patch to prevent unauthorised file uploads and deletions.

Security researcher Arkadiusz Hydzik uncovered and reported the flaw. Due to insufficient file type and path validation in the plugin’s ‘EVF_Form_Fields_Upload’ class, attackers could upload malicious PHP scripts disguised as text or CSV files.

These files, once executed, could enable hackers to execute arbitrary code on the affected server.

This is an image of wordpress featured 994

Additionally, the lack of proper sanitisation in the ‘rename()’ function allowed threat actors to read and delete any file on the server, including the critical ‘wp-config.php’ file. Deleting this file forces a WordPress site into setup mode, allowing attackers to take control by connecting it to a rogue database.

Website administrators who suspect they may have been targeted should check their uploads directory for any suspicious .PHP files and review their wp-config.php integrity.

A few weeks ago, a critical vulnerability was discovered in the Admin and Site Enhancement (ASE), which has more than 100,000 active installations, affecting both the free and pro versions.

Last month, yet another popular WordPress plugin, Easy Real Estate, suffered two critical vulnerabilities affecting more than 32,000 websites. Another WordPress plugin, Essential Addons for Elementor, was found to be afflicted with a reflected cross-site scripting (XSS) flaw.

Last week, a privilege escalation security flaw in the K Elements plugin affected over 23,000 websites.

In the News: Senior citizen in West Bengal loses ₹6.5 in cyber blackmail scam

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

Photo: koshiro k/shutterstock. Com

OpenAI’s o3 model scores lower than initially promised

  • by
  • AI, In News
This is an image of spyware on pc

Russian hosting provider abused for malware delivery

What is a hack? 9 different types of hackers you must know about

Kimsuky-linked APT campaign exploits RDP and MS Office flaws

This is an image of instagram featured

Meta expands AI-powered age verification on Instagram

This is an image of gmail featured 134

Google OAuth flaw exploited to bypass Gmail security filters

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

>