CVE-2026-3300 is a critical remote code execution (RCE) vulnerability in the Everest Forms Pro plugin for WordPress, specifically in all versions up to and including 1.9.12. The vulnerability stems from the Calculation Addon's process_filter() function, which constructs PHP code by concatenating user-submitted form field values into a string that is then executed using PHP's eval() function. Although the input is passed through WordPress's sanitize_text_field() function, this sanitization does not escape single quotes or other characters that can alter PHP code context, leaving the input vulnerable to code injection. Attackers can exploit this by submitting specially crafted input in any string-type form field (such as text, email, URL, select, or radio) when the form uses the "Complex Calculation" feature. Because the vulnerability requires no authentication or user interaction, it can be exploited remotely by any unauthenticated attacker. Successful exploitation allows arbitrary PHP code execution on the server, leading to full system compromise including data theft, website defacement, malware deployment, or pivoting to internal networks. The vulnerability is assigned a CVSS v3.1 score of 9.8, reflecting its critical severity with network attack vector, no privileges required, and no user interaction needed. Currently, no patches or updates have been released by the vendor, and no known exploits have been observed in the wild. The vulnerability is categorized under CWE-94: Improper Control of Generation of Code ('Code Injection').

The impact of CVE-2026-3300 is severe and wide-ranging. Exploitation leads to remote code execution on the affected web server, granting attackers full control over the compromised system. This can result in unauthorized access to sensitive data, website defacement, insertion of backdoors or malware, and use of the server as a pivot point for further attacks within an organization's network. Given the popularity of WordPress and the Everest Forms Pro plugin, many websites globally are at risk, especially those using the vulnerable versions with the "Complex Calculation" feature enabled. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and mass exploitation campaigns once public exploit code becomes available. Organizations relying on Everest Forms Pro for customer interactions or data collection face potential operational disruption, reputational damage, and regulatory consequences if exploited.

Until an official patch is released, organizations should take immediate steps to mitigate risk. First, disable the "Complex Calculation" feature in Everest Forms Pro to prevent execution of the vulnerable code path. If disabling is not feasible, restrict access to affected forms using web application firewalls (WAFs) or IP whitelisting to limit exposure to trusted users only. Monitor web server logs for suspicious form submissions containing unusual characters or PHP code patterns. Employ runtime application self-protection (RASP) or intrusion detection systems to detect and block attempts to inject PHP code. Regularly back up website data and configurations to enable rapid recovery if compromise occurs. Once the vendor releases a patch, promptly update to the fixed version. Additionally, review and harden PHP configurations to disable dangerous functions like eval() where possible, and enforce least privilege on web server processes to limit damage scope.