Platform
wordpress
Component
everest-forms-pro
Fixed in
1.9.13
CVE-2026-3300 is a critical Remote Code Execution (RCE) vulnerability affecting the Everest Forms Pro plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The vulnerability affects versions up to and including 1.9.12, and it has been fixed in version 1.9.13.
CVE-2026-3300 in the Everest Forms Pro plugin for WordPress represents a critical Remote Code Execution (RCE) vulnerability. It affects all versions up to and including 1.9.12, allowing an attacker, even without authentication, to inject malicious PHP code. This vulnerability resides in the processfilter() function of the Calculation Addon, which concatenates user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). While sanitizetext_field() is applied to the input, this function does not escape single quotes or other PHP code context characters. An attacker can exploit this to execute arbitrary code on the server, potentially compromising the entire WordPress website, including the database and other files. The CVSS score is 9.8, indicating a severe impact and a high likelihood of exploitation.
Exploitation of this vulnerability requires an attacker to be able to submit data through a form managed by Everest Forms Pro that utilizes the Calculation Addon. Since authentication is not required, an attacker can simply create a test form or use an existing one. The attacker will inject malicious PHP code into one of the form fields. This code will be concatenated with other inputs and evaluated using the eval() function, allowing the attacker to execute arbitrary code on the server. The simplicity of exploitation, combined with the high severity of the vulnerability, makes it an attractive target for attackers.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The immediate solution to mitigate the risk of CVE-2026-3300 is to update the Everest Forms Pro plugin to version 1.9.13 or later. This version includes a fix that addresses the PHP code injection vulnerability. If an immediate update is not possible, it is recommended to temporarily disable the Calculation Addon until the update can be applied. Additionally, review server logs for suspicious activity that may indicate prior exploitation. Implementing firewall rules to block malicious traffic and performing regular website backups are additional preventative measures that can help reduce the impact of a potential attack. Monitoring website file integrity is also crucial for detecting unauthorized modifications.
Update to version 1.9.13, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
RCE means an attacker can execute code on a remote server, giving them control over the system.
A CVSS score of 9.8 indicates a critical vulnerability with a high impact and a high likelihood of exploitation.
Yes, disabling the Calculation Addon is a viable temporary solution until you can update the plugin.
If you suspect your site has been compromised, immediately change all passwords, review files for unauthorized modifications, and consider restoring a clean backup.
You can find the latest version of the Everest Forms Pro plugin in the WordPress plugin repository or on the developer's website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.