CVE-2026-3300

Name of the Vulnerable Software and Affected Versions Everest Forms Pro plugin for WordPress versions up to and including 1.9.12

Description The Everest Forms Pro plugin for WordPress is susceptible to Remote Code Execution via PHP Code Injection. This occurs because the process filter() function within the Calculation Addon concatenates user-supplied form field values into a PHP code string without sufficient sanitization before passing it to the eval() function. The sanitize text field() function does not adequately escape single quotes or other characters that are significant in a PHP code context. This allows unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form utilizes the "Complex Calculation" feature.

Recommendations Versions up to and including 1.9.12: Upgrade to a version beyond 1.9.12.