CVE-2025-5927: 
WordPress vulnerability analysis and mitigation

The Everest Forms (Pro) plugin for WordPress contains an arbitrary file deletion vulnerability (CVE-2025-5927) discovered in versions up to and including 1.9.4. The vulnerability was disclosed on June 25, 2025 and stems from insufficient file path validation in the deleteentryfiles() function (NVD, Wiz).

The vulnerability exists due to insufficient file path validation in the deleteentryfiles() function, which allows unauthenticated attackers to delete arbitrary files on the server. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-36 (Absolute Path Traversal) (NVD, Wordfence).

If exploited, this vulnerability could allow attackers to delete arbitrary files on the server, which could lead to remote code execution when critical files like wp-config.php are deleted. However, the vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone (NVD).

Users should update to a version newer than 1.9.4 when available. The vulnerability has been reported to the vendor and is documented in the changelog (Everest Forms).