PatchSiren cyber security CVE debrief
CVE-2026-4888 wpeverest CVE debrief
The Everest Forms WordPress plugin is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function. This allows authenticated attackers with Subscriber-level access and above to send test emails to arbitrary addresses from the server. The vulnerability affects all versions up to and including 3.4.7. The issue was disclosed on 2026-05-28 and has a CVSS 3.1 score of 4.3 (Medium severity). The root cause is classified as CWE-862 (Missing Authorization).
- Vendor
- wpeverest
- Product
- Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using Everest Forms plugin; security teams monitoring for unauthorized email abuse; hosting providers detecting outbound spam from compromised sites
Technical summary
The send_test_email() function in class-evf-ajax.php lacks a capability check, permitting any authenticated user (Subscriber+) to invoke the function and send emails to arbitrary addresses. The vulnerability is exploitable via AJAX requests to the plugin's admin-ajax.php endpoint. No special permissions beyond valid WordPress authentication are required.
Defensive priority
medium
Recommended defensive actions
- Update Everest Forms plugin to version 3.4.8 or later
- Review WordPress user accounts for unauthorized Subscriber registrations
- Monitor server mail logs for suspicious test email activity
- Implement principle of least privilege for WordPress user roles
- Consider Web Application Firewall rules to restrict access to AJAX endpoints
Evidence notes
The vulnerability exists in the send_test_email() function within the plugin's AJAX handler. The Wordfence advisory confirms the missing capability check allows low-privileged authenticated users to trigger email sending functionality intended for administrative use.
Official resources
2026-05-28T00:16:43.797Z