{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5478/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5478"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","cve-2026-5478"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin\u0026rsquo;s improper handling of the \u003ccode\u003eold_files\u003c/code\u003e parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the \u003ccode\u003eunlink()\u003c/code\u003e function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the \u0026ldquo;store entry information\u0026rdquo; feature disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eold_files\u003c/code\u003e parameter in the POST data, injecting a path traversal payload (e.g., \u003ccode\u003e../../../../wp-config.php\u003c/code\u003e) into its value.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the form submission, and the Everest Forms plugin extracts the \u003ccode\u003eold_files\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.\u003c/li\u003e\n\u003cli\u003eThe plugin attaches the resolved file (e.g., \u003ccode\u003e/var/www/wordpress/../../../../wp-config.php\u003c/code\u003e) to the notification email.\u003c/li\u003e\n\u003cli\u003eAfter sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called on the resolved path, leading to the deletion of the targeted file (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in \u003ccode\u003ewp-config.php\u003c/code\u003e. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Everest Forms Arbitrary File Read Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T20:35:20Z","date_published":"2026-04-20T20:35:20Z","id":"/briefs/2026-08-everest-forms-rfi-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.","title":"Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5478","version":"https://jsonfeed.org/version/1.1"}