CVE-2025-3422: 
WordPress vulnerability analysis and mitigation

The Everest Forms WordPress plugin is vulnerable to arbitrary shortcode execution in versions up to and including 3.1.1, identified as CVE-2025-3422. The vulnerability was discovered and disclosed on April 11, 2025. The issue affects the plugin's form builder functionality, which fails to properly validate values before executing the do_shortcode function (NVD).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with low impacts to confidentiality (C:L) and integrity (I:L), and no impact to availability (A:N) (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes in the WordPress environment. This could potentially lead to unauthorized actions and content manipulation within the WordPress site (NVD).

A patch has been released in version 3.1.2 of the Everest Forms plugin. Site administrators are advised to update to this version or later to address the vulnerability (WordPress Plugin Repository).