Perceptive Security
SOC/SIEM Consultancy
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is d…
Published:
30 maart 2026 om 22:00:00
Alert date:
31 maart 2026 om 03:01:14
Source:
nvd.nist.gov
Web Technologies
The Everest Forms Pro plugin for WordPress contains a critical remote code execution vulnerability in versions up to 1.9.12. The flaw exists in the Calculation Addon's process_filter() function which concatenates user-submitted form field values into PHP code without proper escaping before passing to eval(). The sanitize_text_field() function fails to escape single quotes and PHP code context characters. Unauthenticated attackers can exploit this by injecting crafted values in string-type form fields when the Complex Calculation feature is enabled, allowing arbitrary PHP code execution on the server.
Technical details
Mitigation steps:
Affected products:
Everest Forms Pro WordPress Plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-3300
https://everestforms.net/changelog/
https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584
https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.