MEDIUM 4.3

CVE-2026-4888: Everest Forms Missing Capability Check Enables Unauthorized Email Sending

Everest Forms, a popular WordPress form-building plugin, contains a security flaw that allows low-privilege logged-in users to send emails from your website to anyone they choose. Any user with Subscriber access or higher can exploit this by calling an internal email-testing function without proper permission checks. This doesn't require clicking malicious links or advanced technical skills—just authenticated access to your WordPress admin panel.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-4888 is a missing capability check vulnerability in the Everest Forms plugin (versions up to 3.4.7) affecting the send_test_email() function. The function lacks authorization validation before executing, allowing authenticated users to invoke test email functionality with arbitrary recipient addresses. The vulnerability is classified as CWE-862 (Missing Authorization) and carries a CVSS 3.1 score of 4.3 (Medium severity) with a network vector, low attack complexity, and low privilege requirement.

Business impact

This vulnerability enables account compromise signaling, phishing campaign staging, and domain reputation damage. An attacker with even basic WordPress user credentials can dispatch emails from your domain to external addresses, potentially impersonating legitimate communications. This could be leveraged for social engineering, spam campaigns, or reconnaissance. While the direct impact is limited to email integrity (CVSS impact: Integrity:L), the reputational and operational consequences—including potential listing on email blacklists—can be significant for organizations relying on WordPress-based communication workflows.

Affected systems

All installations of Everest Forms plugin versions 3.4.7 and earlier are affected. This includes any WordPress site running the plugin with any user account at Subscriber level or above. Multisite WordPress installations are also at risk. Organizations should audit their WordPress installations to identify which sites use this plugin and confirm the currently running version.

Exploitability

The attack surface is moderate. Exploitation requires pre-existing authenticated access—an attacker must have a valid WordPress user account. However, the barrier to entry is low: Subscriber is the default lowest user role, widely granted to contributors, commenters, and trial accounts. Subscriber accounts are often distributed liberally and may have weak credentials. No user interaction is required once authenticated, and the attack is trivial to execute programmatically. The CVSS vector (PR:L/UI:N/AC:L) reflects this straightforward exploitation path.

Remediation

Update Everest Forms to version 3.4.8 or later immediately. The vendor has patched this vulnerability by implementing proper capability checks on the send_test_email() function. Verify the patch version against the official plugin repository or vendor advisory before deployment. As an interim measure, restrict Subscriber and Contributor role capabilities through role management plugins if you cannot patch immediately, though this is not a substitute for the security fix.

Patch guidance

Visit the WordPress plugin repository or your plugin dashboard and upgrade Everest Forms to the latest available version. The patch was released following the CVE publication date of 2026-05-28. Test the update in a staging environment first to ensure compatibility with your form configurations and any custom extensions. After patching, verify that form submission and email notifications continue to function correctly. Document the patching date and version for compliance records.

Detection guidance

Monitor WordPress admin logs for send_test_email() function calls, particularly those originating from Subscriber or Contributor accounts. Check email server logs for unusual outbound test emails sent to external domains from your WordPress installation. Review user access logs around the CVE publication date for suspicious login activity on low-privilege accounts. Consider enabling detailed logging via WordPress security plugins (e.g., Wordfence, Sucuri) to flag capability-related events. Automated SIEM rules should flag unexpected outbound email patterns from web application servers.

Why prioritize this

Although the CVSS score is Medium (4.3), prioritize patching within 30 days. The vulnerability requires authentication but is easily exploitable by low-privilege users who may be compromised or disgruntled. The ability to send emails from your domain poses reputational and legal risks (phishing, spam). The high prevalence of the Everest Forms plugin across WordPress sites and the typical loose distribution of Subscriber accounts elevate practical risk beyond the base score. This is not a zero-day critical issue, but it's a clear operational security gap that should be closed promptly.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects network accessibility (AV:N), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and limited scope impact (S:U) affecting only integrity (I:L). The score appropriately downgrades severity because the vulnerability does not enable code execution, privilege escalation, or data confidentiality breaches. However, the practical risk is amplified by the ubiquity of the plugin, liberal Subscriber role distribution, and the secondary consequences of domain abuse.

Frequently asked questions

Do I need Subscriber-level access to exploit this, or can an unauthenticated attacker do it?

Authenticated access is required. An attacker must have at least a Subscriber-level WordPress account. Unauthenticated users cannot exploit this vulnerability directly. However, Subscriber accounts are often the easiest to obtain or compromise on WordPress sites.

Can this vulnerability be exploited to steal sensitive data or take over my WordPress site?

No. This vulnerability is limited to unauthorized email sending. It does not grant file system access, database access, or the ability to execute arbitrary code. It does not enable privilege escalation to Administrator. The risk is integrity of outbound communications, not confidentiality or availability of your site.

I run a multisite WordPress network. Do I need to patch every site individually?

If you use a network-wide plugin installation, updating once will protect all sites. If individual sites have their own plugin instances, you should update each. Check your WordPress network settings to determine your deployment model, then verify the Everest Forms version across all affected installations.

What should I do if I suspect this vulnerability has already been exploited?

Review email server logs and WordPress audit logs for unauthorized test emails sent between the CVE publication date (2026-05-28) and your patching date. Check your domain's reputation on email blacklists. If unauthorized emails were sent, notify affected recipients, document the incident, and reset Subscriber-level user credentials as a precaution.

This analysis is based on the official CVE record and vendor information current as of the modification date (2026-06-17). Security researchers should verify patch availability and affected version numbers against the official Everest Forms plugin repository and vendor advisory before deploying patches. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of this analysis date. Threat intelligence and exploitation activity may emerge after publication; monitor threat feeds and vendor advisories for updates. This explainer is provided for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their environment, user account policies, and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).