CVE-2025-5927 is an absolute path traversal vulnerability classified under CWE-36, present in the Everest Forms Pro plugin for WordPress, affecting all versions up to and including 1.9.4. The vulnerability arises from insufficient validation of file paths in the delete_entry_files() function, which is responsible for deleting files associated with form entries. An unauthenticated attacker can craft requests that manipulate the file path parameter to delete arbitrary files on the server filesystem. However, exploitation is constrained because the deletion action requires an administrator to perform the deletion of a form entry, meaning the attacker must induce or trick an admin into initiating the deletion. If exploited, the attacker can delete critical files such as wp-config.php, which can lead to remote code execution by destabilizing the WordPress environment or enabling further malicious actions. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with network attack vector, high attack complexity, no privileges required, but requiring user interaction (admin action). No public exploits or patches are currently known, increasing the urgency for proactive mitigation. The vulnerability impacts the confidentiality, integrity, and availability of affected systems, as arbitrary file deletion can compromise sensitive data and system stability.

The impact of CVE-2025-5927 is significant for organizations using Everest Forms Pro on WordPress sites. Arbitrary file deletion can lead to loss of critical configuration files, data corruption, and potential remote code execution, which could result in full system compromise. This threatens the confidentiality of sensitive data stored or processed by the website, the integrity of the website and its data, and the availability of the service. Attackers could leverage this vulnerability to disrupt business operations, deface websites, or pivot to further internal network attacks. Since exploitation requires an admin to trigger the deletion, social engineering or phishing attacks targeting administrators could be a vector, increasing risk. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s nature and severity make it a high priority for remediation to prevent future exploitation.

To mitigate CVE-2025-5927, organizations should immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of admin account compromise or manipulation. Administrators should be trained to recognize and avoid social engineering attempts that could trick them into deleting form entries maliciously. Until an official patch is released, consider disabling or uninstalling the Everest Forms Pro plugin if feasible, or restrict access to the plugin’s deletion functionality via web application firewall (WAF) rules or custom server-side controls that validate and sanitize file path parameters. Monitoring and logging admin actions related to form entry deletions can help detect suspicious activity early. Additionally, regular backups of critical files like wp-config.php and the entire WordPress installation should be maintained to enable rapid recovery from file deletion attacks. Organizations should subscribe to vendor advisories and apply patches promptly once available.