The Everest Forms plugin for WordPress (up to version 3.4.4) suffers from a CWE-22 path traversal vulnerability due to improper validation and canonicalization of attacker-controlled old_files data from public form submissions. The plugin converts attacker-supplied URLs into local filesystem paths using regex-based string replacement without enforcing directory boundaries. This flaw allows unauthenticated attackers to read arbitrary files by injecting path traversal sequences into the old_files parameter, which are then included in notification emails. Additionally, the same path resolution is used in a post-email cleanup routine that calls unlink() on the resolved path, enabling deletion of arbitrary files. This can lead to full site compromise through exposure of database credentials and authentication salts in wp-config.php, and denial of service through deletion of critical files. The vulnerability requires a form with file-upload or image-upload fields and disabled entry information storage. No patch or official remediation is currently documented.

Successful exploitation allows unauthenticated attackers to read sensitive local files such as wp-config.php, exposing database credentials and authentication salts, which can lead to full site compromise. Additionally, attackers can delete arbitrary files on the server, causing denial of service by removing critical files. This impacts confidentiality, integrity, and availability of the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid using vulnerable versions of the Everest Forms plugin, especially with forms that have file-upload or image-upload fields and disabled entry information storage. Monitor vendor channels for updates and apply patches promptly once released.