CVE-2026-3300
Remote Code Execution in Everest Forms Pro Calculation Addon
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| everest_forms | everest_forms_pro | to 1.9.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Everest Forms Pro plugin for WordPress has a vulnerability that allows Remote Code Execution (RCE) through PHP code injection. This occurs in all versions up to and including 1.9.12. The issue arises because the Calculation Addon's process_filter() function concatenates user-submitted form field values directly into a PHP code string without properly escaping them before passing the string to the eval() function.
Although the sanitize_text_field() function is applied to the input, it does not escape single quotes or other characters that can affect PHP code execution. As a result, an unauthenticated attacker can submit specially crafted values in any string-type form field (such as text, email, URL, select, or radio) when the form uses the "Complex Calculation" feature, enabling them to inject and execute arbitrary PHP code on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an unauthenticated attacker to execute arbitrary PHP code on the server hosting the WordPress site. This can lead to complete compromise of the server, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, and disruption of services.
Since the attacker does not need any privileges or user interaction, the risk is very high. The CVSS score of 9.8 reflects the critical severity, indicating high confidentiality, integrity, and availability impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Remote Code Execution via PHP code injection in the Everest Forms Pro plugin versions up to 1.9.12, specifically through the Calculation Addon's process_filter() function. Detection would involve monitoring for suspicious form submissions that include crafted payloads in string-type form fields using the "Complex Calculation" feature.
Since the plugin processes form submissions via POST requests, you can detect exploitation attempts by inspecting HTTP POST data for unusual or suspicious PHP code patterns in form fields.
- Use web server logs or network monitoring tools to filter POST requests to endpoints handling Everest Forms submissions.
- Search for suspicious payloads containing PHP code or special characters in form fields, for example using grep on access logs:
- grep -iE "(eval|base64_decode|system|exec|shell_exec|passthru|phpinfo|\$_GET|\$_POST)" /var/log/apache2/access.log
- Monitor for unexpected POST requests to URLs related to Everest Forms submissions, possibly including nonce verification failures.
- Use WordPress debugging or logging plugins to capture and analyze form submission data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Remote Code Execution vulnerability in Everest Forms Pro plugin versions up to 1.9.12, immediate steps include:
- Update the Everest Forms Pro plugin to a version later than 1.9.12 where this vulnerability is fixed.
- If an immediate update is not possible, disable the "Complex Calculation" feature in forms to prevent the vulnerable code path from being executed.
- Implement Web Application Firewall (WAF) rules to block suspicious POST requests containing PHP code injection patterns targeting form submissions.
- Ensure that WordPress and all plugins are kept up to date and monitor logs for suspicious activity.
- Consider temporarily disabling the Everest Forms Pro plugin if the risk is high and no patch is available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server by injecting malicious input into form fields. This can lead to full compromise of the server hosting the WordPress site.
Such a compromise can result in unauthorized access to sensitive personal data collected via the forms, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal information.
Additionally, the high severity of the vulnerability (CVSS 9.8) indicates a critical risk to confidentiality, integrity, and availability, which are core principles in compliance frameworks.
Therefore, failure to patch this vulnerability could lead to non-compliance with standards that mandate secure handling and protection of user data.