CVE-2026-11571 in Everest Forms Plugininfo

Summary

by MITRE • 07/09/2026

The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsible

WPScan

Reservation

06/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!