KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2026-3300

PUBLISHED

Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field

Exploited in the wild Remote Low complexity No user interaction
Vendor
WPEverest
Product
Everest Forms Pro
Published
Mar 31, 2026
EPSS
0.3% · 55% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot sensor data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

wordpress php

Weaknesses (CWE)

  • CWE-94

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-05 09:20:13 UTC · Source

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
TheHackerNews First 2026-06-05 09:20 UTC

Recent mentions

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

TheHackerNews · Jun 05, 2026

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel