CVE-2026-27070

The Everest Forms Pro plugin for WordPress, versions 1.9.10 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability. This improper neutralization of user-supplied input during web page generation allows an attacker to inject arbitrary JavaScript or HTML into form submissions that are stored and later displayed to site visitors.

Exploitation requires the attacker to have an authenticated user with at least contributor-level privileges (or similar) to submit or manage forms on the site. The injected script is stored in the database and triggers when a victim (including administrators or other visitors) views the page containing the malicious payload. No additional authentication beyond the victim's normal session is required for execution, but a privileged user must first initiate the action (e.g., submitting or saving the form).[1]

A successful attack can lead to session hijacking, harvesting, redirection to malicious sites, or defacement of the affected WordPress pages. Since the payload is persistent, it is persistent, the impact can affect multiple users sitewide until the content is removed or patched.

Patchstack has released a mitigation rule to block attacks prior to updating. The vendor has patched this vulnerability in version 1.9.13. Users are strongly advised to update to this version immediately or apply a virtual patch if immediate updating is not possible.[1]