A critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin, tracked as CVE-2026-3300, allows unauthenticated attackers to execute arbitrary PHP code on the server through the plugin’s Complex Calculation feature. Active exploitation is confirmed — attackers are taking over WordPress sites by injecting PHP code through form submissions. All versions up to and including 1.9.12 are affected.
What Is the Vulnerability?
CVE-2026-3300 is a code injection vulnerability in Everest Forms Pro’s Complex Calculation feature. This feature accepts values submitted through form fields — including values submitted by unauthenticated users on public-facing forms — and inserts them into a PHP code string that is then executed using PHP’s eval() function. The eval() function executes arbitrary PHP code passed to it as a string.
The vulnerability exists because user input is passed through WordPress’s sanitize_text_field() function, which does not escape single quotes or other characters that influence PHP syntax. An attacker can supply form field values that close the intended PHP string within the eval’d code, inject arbitrary PHP commands, and achieve remote code execution on the WordPress server. No authentication is required — any public-facing form using the Complex Calculation feature is an attack vector.
Everest Forms Pro is a commercial add-on for the Everest Forms plugin, used to create contact forms, registration forms, payment forms, and custom application forms on WordPress sites. The commercial distribution model means updates are not delivered through the standard WordPress.org plugin update mechanism — site owners must manually update through their purchase account.
- CVSS v3.1 Score: 9.8 (Critical — estimated)
- Attack Vector: Network — unauthenticated form submission
- Impact: Full server compromise via arbitrary PHP code execution
- Status: Actively exploited in the wild
Which Versions Are Affected?
- Everest Forms Pro: all versions up to and including 1.9.12
Is It Being Exploited in the Wild?
Yes — confirmed active exploitation. Attackers are actively targeting WordPress sites running Everest Forms Pro to take complete control of the sites. The attack requires only that the site has a public-facing form using the Complex Calculation feature — no authentication, no user interaction beyond form submission.
What Is the Fix?
Update Everest Forms Pro to a version beyond 1.9.12 through your purchase account or the plugin developer’s distribution channel. If you cannot update immediately: (1) disable the Complex Calculation feature on all forms, or (2) disable the Everest Forms Pro plugin entirely. After patching, audit the WordPress server for unexpected PHP files, new administrator accounts, and injected code in theme or plugin files.
Recommendations
Update Everest Forms Pro today. Actively exploited unauthenticated RCE is an emergency-patch scenario. Every WordPress site running this plugin with public-facing forms is a target.
Audit for compromise. Check the WordPress user list for rogue admin accounts. Scan theme and plugin directories for unexpected PHP files. Review server access logs for unusual POST requests to form endpoints.
Consider disabling eval()-based features. Any WordPress plugin that passes user input to eval() is inherently dangerous. Review your plugin inventory for similar patterns and disable or replace plugins that use eval on user-supplied data.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 7, 2026.
