Vulnerability Intelligence Report — June 7, 2026
Coverage: June 6–7, 2026 | New items: 4 | KEV deadlines June 9 (OpenSSL): 1 | KEV deadlines June 10: 2 | KEV deadlines June 19: 1
Previous reports: June 6, 2026 | June 5, 2026 | June 4, 2026
Hackers are actively exploiting a critical vulnerability in Everest Forms Pro (CVE-2026-3300) — a commercial WordPress form builder plugin — using PHP eval() injection through the Complex Calculation feature to achieve unauthenticated remote code execution and full site takeover. Several additional WordPress plugin vulnerabilities were disclosed. The OpenSSL security update arrives in two days (June 9). Nx Console and TanStack CISA KEV deadlines follow on June 10.
Quick Reference — Most Important Vulnerabilities Today
Everest Forms Pro (WordPress): CVE-2026-3300 (actively exploited, unauth RCE via eval() injection)
WP User Manager (WordPress): CVE-2026-9290 (CVSS 7.5, unauthenticated LFI/remote code execution)
Booking Package (WordPress): CVE-2026-9851 (CVSS 7.2, privilege escalation via account takeover)
MDJM Event Management (WordPress): CVE-2026-7537 (CVSS 7.2, arbitrary file upload)
OpenSSL Update: June 9, 2026 — prepare inventory (2 days)
KEV Deadlines: Nx Console + TanStack June 10 | SolarWinds Serv-U June 19
Everest Forms Pro (WordPress) — CVE-2026-3300 (Actively Exploited, Unauthenticated RCE via eval Injection)
Software affected: Everest Forms Pro — a commercial WordPress form builder add-on — all versions up to and including 1.9.12. Everest Forms Pro extends the free Everest Forms plugin with advanced features including payment forms, registration forms, and multi-step form workflows.
CVE: CVE-2026-3300 | Critical severity | Actively exploited in the wild | Unauthenticated remote code execution via PHP eval() injection
Fixable: Yes. Update Everest Forms Pro to a version beyond 1.9.12. The fix addresses the unsanitised input in the Complex Calculation feature.
Business impact: The vulnerability exists in the plugin’s Complex Calculation feature, which accepts values submitted through form fields — including values submitted by unauthenticated users on public-facing forms — and inserts them into a PHP code string. This string is then executed using PHP’s eval() function, which executes arbitrary PHP code. Although user input passes through sanitize_text_field(), this WordPress sanitisation function does not escape single quotes or other characters that influence PHP syntax. An attacker can close the intended string in the eval’d code, inject arbitrary PHP commands, and achieve remote code execution on the WordPress server — all with no authentication required. Attackers are actively exploiting this in the wild to take complete control of WordPress sites. Any site running Everest Forms Pro with public-facing forms is directly exposed.
How to fix: Update Everest Forms Pro immediately through your purchase account or the plugin developer’s distribution channel. If you cannot update immediately, disable the Complex Calculation feature or disable the plugin entirely. After patching, audit the WordPress server for unexpected files, new admin accounts, and injected code in theme files or the database.
Recommended action: Urgent — actively exploited unauthenticated RCE. Every WordPress site running Everest Forms Pro must be patched today. Sites with public-facing forms are being actively targeted.
Official source: NVD — CVE-2026-3300
WP User Manager — CVE-2026-9290 (CVSS 7.5, Unauthenticated Local File Inclusion)
Software affected: WP User Manager – User Profile Builder & Membership plugin for WordPress, all versions up to and including 2.9.17.
CVE: CVE-2026-9290 | CVSS 7.5 High | CWE-22 (Path Traversal) | Unauthenticated local file inclusion enabling arbitrary PHP execution
Fixable: Yes. Update WP User Manager to a version beyond 2.9.17.
Business impact: A local file inclusion vulnerability in the profile template scope function allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can be leveraged to execute any PHP code present on the filesystem — including code in WordPress core, theme, or plugin files — or to include attacker-uploaded PHP files, achieving remote code execution.
Recommended action: Update WP User Manager immediately. Unauthenticated file inclusion is a direct path to remote code execution.
Official source: NVD — CVE-2026-9290
Booking Package (WordPress) — CVE-2026-9851 (CVSS 7.2, Privilege Escalation via Account Takeover)
Software affected: Booking Package plugin for WordPress, all versions up to and including 1.7.16.
CVE: CVE-2026-9851 | CVSS 7.2 High | CWE-639 (Authorization Bypass Through User-Controlled Key) | Account takeover via missing capability check
Fixable: Yes. Update Booking Package to a version beyond 1.7.16.
Business impact: The updateUser branch of the package_app_action AJAX endpoint is protected only by a nonce check — it does not verify that the requesting user has the capability to modify user accounts. An attacker who obtains the nonce (typically available in page source) can modify arbitrary user account details including passwords, enabling account takeover of any registered user including administrators.
Recommended action: Update Booking Package. The missing capability check on user modification is a classic privilege escalation pattern.
Official source: NVD — CVE-2026-9851
MDJM Event Management (WordPress) — CVE-2026-7537 (CVSS 7.2, Arbitrary File Upload)
Software affected: MDJM Event Management plugin for WordPress, all versions up to and including 1.7.8.3.
CVE: CVE-2026-7537 | CVSS 7.2 High | CWE-434 (Unrestricted Upload) | Arbitrary file upload via mdjm_send_comm_email
Fixable: Yes. Update MDJM Event Management to a version beyond 1.7.8.3.
Business impact: The mdjm_send_comm_email function performs no file type, extension, or MIME type validation on uploaded files. An authenticated attacker with administrator-level access can upload arbitrary files — including PHP webshells — to the server. While admin access is required, this is still a dangerous capability if admin credentials are compromised or if combined with another vulnerability providing lower-level access.
Recommended action: Update MDJM Event Management. While the admin privilege requirement limits immediate exploitability, unrestricted file upload is always a critical finding.
Official source: NVD — CVE-2026-7537
Upcoming: OpenSSL Security Update — June 9 (2 Days)
OpenSSL’s pre-announced security update arrives in two days. Organisations should: (1) complete inventory of all systems and applications linking against OpenSSL — including statically linked binaries and container images, (2) identify all network-facing services using OpenSSL (HTTPS, VPNs, email servers, database connections), (3) prepare maintenance windows for June 9 or shortly thereafter, and (4) monitor openssl.org/news/ for the advisory.
KEV Deadline Watch
June 9: OpenSSL security update (not KEV, but pre-announced).
June 10: Nx Console CVE-2026-48027 and TanStack CVE-2026-45321 — supply chain compromises. May 28 report.
June 19: SolarWinds Serv-U CVE-2026-28318 (actively exploited). June 6 report.
Passed: Mirasvit (June 6).
Updates on Items from Previous Reports
Windows MiniPlasma CVE-2026-33825: Still no patch. Restrict local access, deploy AppLocker/WDAC. Dedicated advisory.
Hugging Face Transformers CVE-2026-4372: Update to 5.3.0. Dedicated advisory.
Cisco SD-WAN CVE-2026-20245: Actively exploited. Dedicated advisory.
X.Org/Xwayland CVEs: Apply distribution updates. Dedicated advisory.
Ansible Galaxy CVE-2026-11332: Update ansible-core. Dedicated advisory.
Azure ARM CVSS 10.0, Azure HorizonDB CVSS 10.0, SharePoint, BitLocker YellowKey, Defender, Graph, Copilot, BarTender, binding.gyp, OpenStack Ironic, OpenShift CCO, Acer M6E/Wave7, Hippoo WP, SolarWinds Serv-U: All covered in dedicated advisories.
Drupal, PAN-OS, Citrix NetScaler, Windows Netlogon, FortiClient, Ghost CMS, SonicWall, ChromaDB, Oracle ORDS/WebLogic, Cisco UC Manager, authentik, BIRD BGP, MLflow, React Router, LibreChat, MISP, and all WordPress plugin CVEs: Covered in dedicated advisories and previous reports.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources.
