Back to overview

CVE-2026-11571

Description
The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.

Metadata

CVE ID
CVE-2026-11571
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-08 09:36 UTC
Published
2026-07-09 06:00 UTC
Last updated
2026-07-09 06:00 UTC
Vendor / Product
Unknown / Everest Forms
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown Everest Forms 0 < 3.5.0
Weakness (CWE)
CWESourceDescription
cna CWE-200 Information Exposure
Back to overview