Remote Code Execution Risk in Everest Forms Pro Plugin by WordPress
CVE-2026-3300
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 31 March 2026
Badges
What is CVE-2026-3300?
The Everest Forms Pro plugin for WordPress has a significant vulnerability that allows for Remote Code Execution through PHP Code Injection. This affects all versions up to and including 1.9.12. The vulnerability arises from the Calculation Addon's process_filter() function, which improperly concatenates user-submitted form field values into an unescaped PHP code string before passing it to eval(). The use of sanitize_text_field() on input fails to adequately escape problematic characters such as single quotes, enabling unauthenticated attackers to inject and execute arbitrary PHP code on the server. This exposure affects any string-type form field utilizing the 'Complex Calculation' feature, putting users at risk of malicious exploitation.
Affected Version(s)
Everest Forms Pro 0 <= 1.9.12
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Critical Everest Forms Pro flaw exploited to take over WordPress sites
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website.
3 weeks ago
The Hacker NewsCVE-2026-3300Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are actively exploiting CVE-2026-3300, a critical RCE vulnerability (CVSS 9.8) in Everest Forms Pro WordPress plugin (4,000+ installs).
3 weeks ago
References
EPSS Score
40% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved