CVE-2026-3300: CWE-94 Improper Control of Generation of Code ('Code Injection') in WPEverest Everest Forms Pro
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
AI Analysis
Technical Summary
CVE-2026-3300 is a critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin (up to version 1.9.12). The issue arises from the Calculation Addon's process_filter() function, which improperly concatenates user input into PHP code strings and executes them via eval() without adequate escaping. The sanitize_text_field() function applied to inputs fails to escape single quotes and other PHP code context characters, enabling unauthenticated attackers to inject arbitrary PHP code through crafted values in string-type form fields (text, email, URL, select, radio) when the "Complex Calculation" feature is used.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary PHP code on the server hosting the vulnerable plugin. This can lead to full system compromise including data theft, site defacement, malware installation, or further pivoting within the hosting environment. The CVSS 3.1 base score is 9.8, reflecting critical impact on confidentiality, integrity, and availability with no required privileges or user interaction.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable the "Complex Calculation" feature or remove the Everest Forms Pro plugin from affected versions to prevent exploitation. Monitor the vendor's official channels for updates and apply patches promptly once available.
CVE-2026-3300: CWE-94 Improper Control of Generation of Code ('Code Injection') in WPEverest Everest Forms Pro
Description
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3300 is a critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin (up to version 1.9.12). The issue arises from the Calculation Addon's process_filter() function, which improperly concatenates user input into PHP code strings and executes them via eval() without adequate escaping. The sanitize_text_field() function applied to inputs fails to escape single quotes and other PHP code context characters, enabling unauthenticated attackers to inject arbitrary PHP code through crafted values in string-type form fields (text, email, URL, select, radio) when the "Complex Calculation" feature is used.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary PHP code on the server hosting the vulnerable plugin. This can lead to full system compromise including data theft, site defacement, malware installation, or further pivoting within the hosting environment. The CVSS 3.1 base score is 9.8, reflecting critical impact on confidentiality, integrity, and availability with no required privileges or user interaction.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable the "Complex Calculation" feature or remove the Everest Forms Pro plugin from affected versions to prevent exploitation. Monitor the vendor's official channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-26T20:26:05.469Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cb25a7e6bfc5ba1d9a95b1
Added to database: 3/31/2026, 1:38:47 AM
Last enriched: 4/14/2026, 3:07:56 PM
Last updated: 5/15/2026, 5:07:49 AM
Views: 162
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.