What is CVE-2026-3300?
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Affected product
WordPress Everest Forms Pro
Remediation Steps
- Apply the vendor security update for WordPress Everest Forms Pro as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References
Coverage on defend.network
- Vulnerability Priority Report – Week 2 of June 2026 (June 8 – 14)
- Miasma worm hits Microsoft GitHub, SolarWinds Serv-U actively exploited, WordPress Everest Forms RCE (2026-06-08)
- Miasma worm hits Microsoft GitHub; SolarWinds actively exploited; Chrome 429 patches (2026-06-07)
- Critical Exploits: npm Supply Chain, WordPress Plugin, SolarWinds, IIS Attacks (2026-06-06)
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.