mediumCVE-2026-12270

Everest Forms Onboarding Assistant REST Authorization Bypass Vulnerability

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or changing that header. This makes it possible for unauthenticated attackers to read onboarding status information, modify the related Everest Forms WordPress plugin before 3.5.0 options, and trigger an email from the site to an arbitrary address.

ProductEverest Forms
CVSS6.5
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Everest Forms should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Everest Forms before 3.5.0

Fixed versions

  • 3.5.0

How to fix it

Everest Forms before 3.5.0 allowed unauthorized access to onboarding assistant REST actions. Update the plugin and review WordPress options and mail settings for unexpected changes.

  1. Inventory WordPress sites running Everest Forms before 3.5.0.
  2. Update Everest Forms to version 3.5.0 or later from the WordPress plugin repository or vendor source.
  3. Disable the onboarding assistant or restrict REST access with WAF rules until all sites are patched.
  4. Review WordPress options, Everest Forms settings, email templates, SMTP settings, and administrator notifications for unexpected changes.
  5. Audit WordPress users, API keys, and plugin changes around the vulnerable window.
  6. Rotate SMTP credentials and integration tokens if email settings may have been accessed or modified.
  7. Clear caches and retest form submission and notification workflows after the update.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Everest Forms is running version 3.5.0 or later.
  • Validate unauthenticated users cannot invoke onboarding assistant REST actions.
  • Review WordPress option diffs and plugin logs for unauthorized configuration changes.
  • Test form submissions and email notifications after patching.
  • Run a Fixnx scan and confirm the vulnerable REST route is not exploitable.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-12270?

Everest Forms versions listed as affected should be reviewed: Everest Forms before 3.5.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.