Remote Code Execution Risk in Everest Forms Pro Plugin by WordPress

CVE-2026-3300

What is CVE-2026-3300?

The Everest Forms Pro plugin for WordPress has a significant vulnerability that allows for Remote Code Execution through PHP Code Injection. This affects all versions up to and including 1.9.12. The vulnerability arises from the Calculation Addon's process_filter() function, which improperly concatenates user-submitted form field values into an unescaped PHP code string before passing it to eval(). The use of sanitize_text_field() on input fails to adequately escape problematic characters such as single quotes, enabling unauthenticated attackers to inject and execute arbitrary PHP code on the server. This exposure affects any string-type form field utilizing the 'Complex Calculation' feature, putting users at risk of malicious exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References