Everest Forms Pro < 1.9.13 – Unauthenticated Remote Code Execution via Calculation Field | CVE 2026-3300 | Plugin Vulnerabilities

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

Affects Plugins

everest-forms-pro

Fixed in 1.9.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

hoshino

Verified

No

WPVDB ID

0530006c-81cf-4472-bf8b-a28eb728e103

Timeline

Publicly Published

2026-03-30 (about 2 months ago)

Added

2026-03-30 (about 2 months ago)

Last Updated

2026-06-12 (about 9 hours ago)

Other

Published

Title

Published

2025-08-14

Title

Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call

Published

2025-08-05

Title

Request a Quote Form Plugin < 2.5.3 - Unauthenticated Limited Remote Code Execution

Published

2025-02-05

Title

CURCY – Multi Currency for WooCommerce < 2.2.6 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function

Published

2018-08-26

Title

Plainview Activity Monitor < 20180826 - Remote Command Execution (RCE)

Published

2025-06-23

Title

Content No Cache < 0.1.5 - Unauthenticated Arbitrary Function Call