The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the uploads directory, allowing unauthenticated attackers to retrieve other users' form submission records via predictable, enumerable filenames.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Everest Forms WordPress plugin before version 3.5.0 fails to reliably delete temporary CSV files created during email notification processing, leaving sensitive form submission data exposed in the web-accessible uploads directory. These files use predictable, enumerable naming conventions that allow unauthenticated attackers to discover and retrieve other users' confidential information—including names, email addresses, phone numbers, and any custom form fields—without any authentication or authorization checks. This vulnerability affects WordPress sites using the Everest Forms plugin, particularly those collecting sensitive user data through forms, creating a direct path for data exfiltration affecting both site administrators and end users whose data is exposed.
While this CVE lacks explicit MITRE ATT&CK mapping, Casky's Claude AI reasoning engine would detect the attack patterns associated with Reconnaissance (T1592 - Gather Victim Identity Information, T1589 - Gather Victim Identity Information), Resource Development (T1583 - Acquire Infrastructure), and Exfiltration (T1041 - Exfiltration Over C2 Channel, T1020 - Automated Exfiltration) techniques. Practitioners using Casky would identify findings related to improper access control, insecure temporary file handling, and information disclosure risks. The platform's extended reasoning capabilities would flag the predictable filename enumeration pattern as a reconnaissance indicator and correlate it with unauthorized data access attempts in web server logs—revealing systematic scanning of the uploads directory and successful retrieval of CSV files containing PII, which represents active exploitation of this design flaw.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11571. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation