CVE-2026-57312 is an unauthenticated Cross-Site Scripting (XSS) vulnerability in Everest Forms, a WordPress plugin, affecting versions up to and including 3.4.8. The vulnerability is due to improper neutralization of input during web page generation (CWE-79), which allows attackers to inject malicious scripts that can execute in the context of the victim's browser. The CVSS 3.1 base score is 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time, and no known exploits in the wild have been reported.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary scripts in the context of users visiting the affected site, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability as indicated by the CVSS vector. The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component itself.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider applying temporary mitigations such as disabling or limiting the use of Everest Forms or implementing web application firewall (WAF) rules to detect and block XSS payloads targeting this plugin.