CVE-2026-3300
Published: 31 March 2026
Summary
CVE-2026-3300 is a critical-severity Code Injection (CWE-94) vulnerability in Everestforms (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the PHP code injection flaw in the Everest Forms Pro plugin, directly preventing exploitation of CVE-2026-3300.
Mandates validation and sanitization of user-submitted form field values to prevent malicious PHP code injection before concatenation into eval() strings.
Enables vulnerability scanning to detect the code injection vulnerability in the Everest Forms Pro plugin and prioritize its remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via PHP injection in a public-facing WordPress plugin, directly mapping to exploitation of public-facing applications.
NVD Description
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into…
more
a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Deeper analysisAI
CVE-2026-3300 is a remote code execution vulnerability via PHP code injection in the Everest Forms Pro plugin for WordPress, affecting all versions up to and including 1.9.12. The issue resides in the Calculation Addon's process_filter() function, which concatenates user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). Although sanitize_text_field() is applied to the input, it fails to escape single quotes or other PHP code context characters, enabling code injection.
Unauthenticated attackers can exploit this vulnerability by submitting a crafted value in any string-type form field, such as text, email, URL, select, or radio, on a form that utilizes the "Complex Calculation" feature. Successful exploitation grants arbitrary PHP code execution on the server, with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflecting its critical severity and associated with CWE-94.
Advisories and patch information are detailed in the Everest Forms changelog at https://everestforms.net/changelog/, the vulnerable source code line in the WordPress plugin trac at https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve.
Details
- CWE(s)