Remote Code Execution Risk in Everest Forms Pro Plugin by WordPress
CVE-2026-3300
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 31 March 2026
Badges
What is CVE-2026-3300?
The Everest Forms Pro plugin for WordPress has a significant vulnerability that allows for Remote Code Execution through PHP Code Injection. This affects all versions up to and including 1.9.12. The vulnerability arises from the Calculation Addon's process_filter() function, which improperly concatenates user-submitted form field values into an unescaped PHP code string before passing it to eval(). The use of sanitize_text_field() on input fails to adequately escape problematic characters such as single quotes, enabling unauthenticated attackers to inject and execute arbitrary PHP code on the server. This exposure affects any string-type form field utilizing the 'Complex Calculation' feature, putting users at risk of malicious exploitation.
Affected Version(s)
Everest Forms Pro 0 <= 1.9.12
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Hacker NewsCVE-2026-3300Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are actively exploiting CVE-2026-3300, a critical RCE vulnerability (CVSS 9.8) in Everest Forms Pro WordPress plugin (4,000+ installs).
18 hours ago
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved