Platform
wordpress
Component
everest-forms-pro
Fixed in
1.9.11
CVE-2026-27070 describes a Stored Cross-Site Scripting (XSS) vulnerability within the Everest Forms Pro WordPress plugin. This vulnerability allows attackers to inject malicious scripts that are stored in the database and subsequently executed when other users interact with the affected forms. Versions of Everest Forms Pro prior to 1.9.13 are vulnerable, and a patch has been released to address the issue.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to a wide range of malicious activities, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data like login credentials or personal information. The stored nature of the vulnerability means that a single successful injection can impact multiple users who view the affected form, significantly expanding the potential blast radius. This is similar to other XSS vulnerabilities where attackers leverage user input to inject malicious code.
CVE-2026-27070 was publicly disclosed on March 19, 2026. The vulnerability's severity is rated as HIGH (CVSS 7.1). There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation makes it a potential target. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27070 is to immediately upgrade Everest Forms Pro to version 1.9.13 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns associated with JavaScript injection attempts. Additionally, carefully review and sanitize all user-supplied input within the Everest Forms Pro plugin to prevent future vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into a form field and verifying that it is not executed.
Update to version 1.9.13, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27070 is a stored Cross-Site Scripting (XSS) vulnerability affecting Everest Forms Pro versions before 1.9.13, allowing attackers to inject malicious scripts.
You are affected if you are using Everest Forms Pro versions prior to 1.9.13. Immediately check your plugin version and upgrade if necessary.
Upgrade Everest Forms Pro to version 1.9.13 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
There are currently no known active exploits or campaigns targeting this vulnerability, but its ease of exploitation makes it a potential target.
Refer to the WPEverest website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.