CVE-2026-3300Code Injection in Everest Forms PRO

CWE-94Code Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 47.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpeverest Everest Forms PRO
Timeline
PublishedMar 31

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticate

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5wpeverest/everest_forms_pro1.9.12

🔴Vulnerability Details

2
CVEList
Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field2026-03-31
GHSA
GHSA-jfqc-5rvh-wp99: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 12026-03-31

🕵️Threat Intelligence

1
Wiz
CVE-2026-3300 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-3300 — Code Injection in Everest Forms PRO | cvebase