Everest Forms Pro RCE via PHP Eval (<=1.9.12)
CVE-2026-3300 Published on March 31, 2026
Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Timeline
Vendor Notified
Disclosed 32 days later.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-3300 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-3300
Want to know whenever a new CVE is published for Wpeverest Everest Forms? stack.watch will email you.
Affected Versions
WPEverest Everest Forms Pro:- Before and including 1.9.12 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.