CVE-2026-3300

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into…

a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the PHP code injection flaw in the Everest Forms Pro plugin, directly preventing exploitation of CVE-2026-3300.

SI-10 Information Input Validation good match

prevent

Mandates validation and sanitization of user-submitted form field values to prevent malicious PHP code injection before concatenation into eval() strings.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Enables vulnerability scanning to detect the code injection vulnerability in the Everest Forms Pro plugin and prioritize its remediation.

Security SummaryAI

CVE-2026-3300 is a remote code execution vulnerability via PHP code injection in the Everest Forms Pro plugin for WordPress, affecting all versions up to and including 1.9.12. The issue resides in the Calculation Addon's process_filter() function, which concatenates user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). Although sanitize_text_field() is applied to the input, it fails to escape single quotes or other PHP code context characters, enabling code injection.

Unauthenticated attackers can exploit this vulnerability by submitting a crafted value in any string-type form field, such as text, email, URL, select, or radio, on a form that utilizes the "Complex Calculation" feature. Successful exploitation grants arbitrary PHP code execution on the server, with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflecting its critical severity and associated with CWE-94.

Advisories and patch information are detailed in the Everest Forms changelog at https://everestforms.net/changelog/, the vulnerable source code line in the WordPress plugin trac at https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via PHP injection in a public-facing WordPress plugin, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://everestforms.net/changelog/
security@wordfence.com
https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
security@wordfence.com