CVE-2026-22422 describes a basic cross-site scripting (XSS) vulnerability in the Everest Forms WordPress plugin (versions up to 3.4.1). The issue arises from improper neutralization of script-related HTML tags, allowing an attacker to inject code into web pages rendered by the plugin. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without privileges or user interaction, with a medium severity impact primarily on integrity. No official patch or vendor advisory is provided in the data, and no known exploits have been reported.

The vulnerability allows an attacker to inject malicious scripts into web pages generated by Everest Forms, potentially leading to code execution in the context of the victim's browser. The CVSS score of 5.3 indicates a medium impact, with integrity affected but confidentiality and availability unaffected. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor for updates from the Everest Forms vendor. Until a fix is available, consider disabling or limiting the use of affected plugin features that process user input in web pages to reduce exposure.