CVE-2026-3300

CRITICAL EXPLOITED NUCLEI

Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-3300 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including adamshaikhma, HORKimhab. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository claims to exploit CVE-2026-3300 (Everest Forms Pro RCE via PHP code injection) but provides no actual exploit code, instead redirecting users to an external download link (tinyurl.com). The README lacks technical depth and reads like a sales pitch.

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

Exploits (2)

github SUSPICIOUS
by adamshaikhma · poc
https://github.com/adamshaikhma/CVE-2026-3300

The repository claims to exploit CVE-2026-3300 (Everest Forms Pro RCE via PHP code injection) but provides no actual exploit code, instead redirecting users to an external download link (tinyurl.com). The README lacks technical depth and reads like a sales pitch.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Everest Forms Pro (WordPress plugin) <= 1.9.12
No auth needed
Prerequisites: Everest Forms Pro with Calculation Addon enabled
devstral-2 · analyzed Jun 05, 2026 Full analysis →
github WORKING POC
by HORKimhab · pythonremote
https://github.com/HORKimhab/CVE-2026-3300

This repository contains a functional exploit for CVE-2026-3300, targeting Everest Forms Pro <= 1.9.12 via unauthenticated PHP code injection in the Calculation Addon. The PoC includes multiple exploitation modes (scan, command execution, reverse shell) and demonstrates the vulnerability through crafted HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Everest Forms Pro <= 1.9.12 (WordPress plugin)
No auth needed
Prerequisites: WordPress site with Everest Forms Pro installed · Calculation Addon enabled · Accessible form field (e.g., text_field)
devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection
CRITICALVERIFIEDby DhiyaneshDk
FOFA: body="/wp-content/plugins/everest-forms-pro/"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.3494
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-06-03
CWE
CWE-94
Status published
Products (1)
WPEverest/Everest Forms Pro < 1.9.12
Published Mar 31, 2026
Tracked Since Mar 31, 2026