CVE-2026-4888: CWE-862 Missing Authorization in wpeverest Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
CVE-2026-4888 is a medium severity vulnerability in the Everest Forms WordPress plugin that allows authenticated users with Subscriber-level access or higher to send test emails to arbitrary addresses without proper authorization checks. This occurs due to a missing capability check in the send_test_email() function in versions up to and including 3. 4. 7. The vulnerability does not impact confidentiality or availability but can be used to send unauthorized emails from the server.
AI Analysis
Technical Summary
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress contains a missing authorization vulnerability (CWE-862) in its send_test_email() function. This flaw allows any authenticated user with at least Subscriber privileges to send test emails to arbitrary addresses, bypassing intended capability checks. The issue affects all plugin versions up to and including 3.4.7. The CVSS 3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, and limited impact on integrity only.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to send unauthorized test emails from the server. While this does not compromise data confidentiality or system availability, it can be abused for spam or phishing campaigns leveraging the legitimate server's email capabilities, potentially damaging reputation or causing indirect harm.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor for unusual email activity related to the plugin. Avoid granting Subscriber-level users unnecessary access to the plugin's email functions.
CVE-2026-4888: CWE-862 Missing Authorization in wpeverest Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
Description
CVE-2026-4888 is a medium severity vulnerability in the Everest Forms WordPress plugin that allows authenticated users with Subscriber-level access or higher to send test emails to arbitrary addresses without proper authorization checks. This occurs due to a missing capability check in the send_test_email() function in versions up to and including 3. 4. 7. The vulnerability does not impact confidentiality or availability but can be used to send unauthorized emails from the server.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress contains a missing authorization vulnerability (CWE-862) in its send_test_email() function. This flaw allows any authenticated user with at least Subscriber privileges to send test emails to arbitrary addresses, bypassing intended capability checks. The issue affects all plugin versions up to and including 3.4.7. The CVSS 3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, and limited impact on integrity only.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to send unauthorized test emails from the server. While this does not compromise data confidentiality or system availability, it can be abused for spam or phishing campaigns leveraging the legitimate server's email capabilities, potentially damaging reputation or causing indirect harm.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor for unusual email activity related to the plugin. Avoid granting Subscriber-level users unnecessary access to the plugin's email functions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-26T11:48:23.396Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1797f4e29bf47b501bace1
Added to database: 5/28/2026, 1:18:44 AM
Last enriched: 5/28/2026, 1:33:32 AM
Last updated: 5/28/2026, 2:19:52 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.