A critical RCE, or Remote Code Execution, vulnerability, tracked as CVE-2026-3300, was discovered in Everest Forms Pro. This Everest Forms Pro vulnerability carries a CVSS score of 9.8, indicating near-maximum severity, making it a critical concern. The flaw allows unauthenticated attackers to execute arbitrary PHP code on a target server, effectively compromising the site.
WPEverest, the developer, released a patch in version 1.9.13 on March 18, 2026. This was a timely response. However, active exploitation began almost a month later, around April 13, 2026, and continues today, June 6, 2026.
Wordfence, a security firm, has blocked over 29,300 exploitation attempts since April, with a significant surge of over 17,900 attempts on May 16 alone, as detailed in their report. In the last 24 hours, 16 additional attempts were blocked. The most common payload observed, as reported by Wordfence, involves creating a rogue administrator account named "diksimarina" with the email diksimarina@gmail.com. Many of these requests originate from IP 202.56.2.126, accounting for over 26,300 blocked attempts.
How the Everest Forms Pro Vulnerability Exploits a Calculation Feature
The root cause is a well-known eval() vulnerability. The Everest Forms Pro plugin includes a "Calculation" add-on, specifically its "Complex Calculation" feature. This particular Everest Forms Pro vulnerability stems from how this feature processes user input. When a form utilizes this, it concatenates user-submitted field values into a PHP string, then passes that string directly to eval() for execution.
The attack chain proceeds as follows:
- A form is configured with the "Complex Calculation" feature.
- An attacker crafts malicious input for a string-type field (e.g., text, email, URL, select, or radio).
- The plugin's
sanitize_text_field()function processes the input. While useful for general text sanitization, this function does not escape single quotes. - Because single quotes are not escaped, the attacker can break out of the PHP string intended for
eval(). - They then inject arbitrary PHP code. For instance, if the expected input is
'user_input', an attacker can submit' + system('whoami') + 'to executewhoamion the server. - The
eval()function executes the attacker's PHP code, leading to Remote Code Execution (RCE).
This technique exploits a well-known anti-pattern in secure coding: the use of eval() with unsanitized user input. The fact that sanitize_text_field() failed to handle single quotes in this specific context merely simplified the exploitation of this Everest Forms Pro vulnerability.
The Real-World Fallout
The practical impact is direct: any attacker gaining this access can execute arbitrary PHP code on the server. This Everest Forms Pro vulnerability allows them to:
- Create rogue administrator accounts, such as "diksimarina."
- Plant webshells for persistent access.
- Establish further footholds within the compromised environment.
- Steal data, deface the site, or use it as a platform for subsequent attacks.
With approximately 4,000 active installations of Everest Forms Pro, as reported by Wordfence, this Everest Forms Pro vulnerability represents a significant attack surface. While the number may not be in the millions, each of those 4,000 sites represents a business, a blog, or an organization vulnerable to complete compromise.
Beyond the Patch: What Needs to Change
For users running Everest Forms Pro versions up to and including 1.9.12, updating to 1.9.13 is an immediate and critical step to mitigate this Everest Forms Pro vulnerability.
Beyond the immediate patch, this incident serves as a stark reminder of the dangers inherent in using functions like eval() with unsanitized user input within the WordPress plugin ecosystem. The Everest Forms Pro vulnerability specifically highlights how sanitize_text_field()—while generally useful—can be insufficient when dealing with code context, failing to escape critical characters like single quotes that allow for arbitrary PHP injection.
This specific failure mode underscores the need for developers to apply context-aware sanitization and to rigorously avoid eval() for user-supplied calculations, a practice consistently flagged as a primary risk, such as Injection (A03) in the OWASP Top 10 for 2021.
The ongoing exploitation of CVE-2026-3300, an Everest Forms Pro vulnerability, serves as a clear demonstration of how a seemingly innocuous calculation feature, when combined with improper input handling and the use of eval(), can lead to complete site compromise. For the approximately 4,000 active installations, immediate updating to version 1.9.13 remains the critical defense against these persistent attacks and the broader Everest Forms Pro vulnerability. This incident underscores the necessity for developers to meticulously review code for eval() usage and for site administrators to maintain a rigorous update schedule, particularly for commercial plugins that often handle sensitive user input. Proactive security measures, including regular audits and adherence to secure coding practices, are paramount to prevent future Everest Forms Pro vulnerabilities or similar exploits from impacting the WordPress ecosystem.
