Attackers can take over WordPress websites with Everest Forms plug-in
Due to a security vulnerability in the Wordpress plug-in Everest Forms, 100,000 websites are potentially vulnerable.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
An important security update closes a “critical” vulnerability in the WordPress plug-in Everest Forms. If attacks are successful, attackers can execute malicious code and, in the worst case, gain full control over websites.
Wordfence warns of this in a post. They state that the vulnerability (CVE-2025-1128) has been reported via their bug bounty program. Remote attackers should be able to exploit the vulnerability without authentication. They can use it to upload malicious code to compromise websites created with WordPress.
Dangerous attacks possible
According to the plug-in website, Everest Forms has more than 100,000 active installations. It can be used to set up contact forms, among other things. According to the security researchers, the error can be found in the EVF_Form_Fields upload class.
Videos by heise
Due to insufficient checks, attackers can upload malicious code at this point and view and even delete files. Wordfence explains how such attacks can work in detail in its article on the security problem.
Because they can also manipulate the wp-config.php file in this way, complete takeovers of websites are conceivable. So far, there are no indications that attackers are already exploiting the vulnerability.
Security update available
The security researchers state that they informed the plug-in provider about the security issue at the beginning of February 2025. The security update in the form of Everest Forms 3.0.9.5 is now available. All previous editions are said to be vulnerable. Web admins should ensure that the latest version is installed.
(des)
