CVE-2026-3300

Name of the Vulnerable Software and Affected Versions Everest Forms Pro versions prior to 1.9.13

Description The Everest Forms Pro plugin for WordPress is subject to remote code execution via PHP code injection. The issue exists in the Calculation Addon's process filter() function, which concatenates user-submitted form field values into a PHP code string and passes them to eval() without proper escaping. Although the sanitize text field() function is used, it fails to escape single quotes and other PHP code context characters. This allows unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting crafted values in any string-type form field (such as text, email, URL, select, or radio) when a form utilizes the Complex Calculation feature. Approximately 4,000 active installations are potentially affected. Real-world exploitation has been confirmed, with attackers using the flaw to create rogue administrator accounts, deploy webshells, and gain full administrative control of websites.

Recommendations Update to version 1.9.13 or later. As a temporary workaround, deploy the ModSecurity compensating rule from the Atomic Edge PoC to block known injection vectors. Audit server logs for anomalous POST requests to Everest Forms Pro endpoints containing PHP function calls such as eval, base64 decode, system, or exec in form field data. Scan wp-content/uploads and wp-content/plugins/everest-forms-pro for webshells. Review administrator accounts for unauthorized additions.