CVE-2026-4888

Vulnerability

The Everest Forms plugin for WordPress, up to and including version 3.4.7, lacks a capability check in the send_test_email() function located in the AJAX handler (see class-evf-ajax.php). This function is registered via WordPress AJAX actions for authenticated users. The missing authorization allows any authenticated user, regardless of their role, to trigger test email sending to arbitrary email addresses supplied in the request.

Exploitation

An attacker must have a valid WordPress account with at least Subscriber-level access. The attacker sends a crafted AJAX request to the evf_send_test_email action with a target email address parameter. No additional privileges or nonce verification bypass is needed because the function does not verify that the user has the capability (e.g., manage_options) typically required for such administrative actions. The request is processed, and the plugin sends a test email from the server to the specified address.

Impact

A successful exploit allows the attacker to abuse the WordPress server's email functionality to send test emails to arbitrary recipients. This can be used for email spamming, phishing attempts, or to exhaust server email sending limits. The impact is limited to unauthorized email dispatch; no data disclosure, privilege escalation, or direct server compromise is achieved through this vulnerability itself.

Mitigation

The plugin maintainers have not released a patched version as of the publication date. Users are advised to disable the Everest Forms plugin or to restrict access to the AJAX handler by implementing a custom capability check via a plugin or code snippet. According to [1], the vulnerable code is present in version 3.4.4; the issue affects all versions up to 3.4.7. Monitor the vendor's update channel for a fixed release. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.