Critical RCE Vulnerability in Everest Forms Pro WordPress Plugin Actively Exploited
A critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin, affecting versions up to 1.9.12, is being actively exploited by attackers.
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2026-3300, has been discovered in the popular Everest Forms Pro WordPress plugin. This flaw, present in versions up to and including 1.9.12, allows unauthenticated attackers to inject and execute arbitrary PHP code on the server, leading to complete website compromise. The vulnerability stems from the plugin's Calculation Addon, specifically within the 'Complex Calculation' feature.
The technical details reveal that the process_filter() function in the EverestForms\Pro\Addons\Calculation\Process\Process class is susceptible to PHP code injection. This function concatenates user-submitted form field values directly into a PHP code string before passing it to the eval() function. While the input is processed by sanitize_text_field(), this sanitization is insufficient as it does not escape single quotes or other characters critical for PHP code execution. Consequently, attackers can craft malicious input for string-based form fields, such as text, email, URL, select, and radio fields, to achieve RCE.
Exploitation of this vulnerability began on April 13th, 2026, shortly after the public disclosure of the flaw on March 30th, 2026. The Wordfence Firewall has been instrumental in blocking a significant number of these attacks, with over 29,300 exploit attempts detected and mitigated. Wordfence Premium, Care, and Response users received protection via a firewall rule on February 27th, 2026, while users of the free Wordfence plugin received similar protection on March 29th, 2026.
The vendor, Everest Forms, released version 1.9.13 on March 18th, 2026, to address this critical vulnerability. The plugin, which has an estimated 4,000 active installations, is widely used for creating and managing forms on WordPress websites. The high CVSS score of 9.8 underscores the severity of this RCE flaw.
Given the active exploitation and the potential for complete site takeover, website administrators are strongly urged to update their Everest Forms Pro plugin to the patched version 1.9.13 immediately. Failure to do so leaves sites vulnerable to malicious actors who can leverage this flaw for various nefarious purposes, including data theft, malware deployment, or using the compromised site as a launchpad for further attacks.
This incident highlights the ongoing threat posed by vulnerabilities in popular WordPress plugins. The ease of exploitation, combined with the plugin's widespread use, makes it a prime target for attackers. The rapid exploitation following disclosure emphasizes the need for prompt patching and robust security measures, such as Web Application Firewalls (WAFs), to protect against such threats.
Organizations relying on Everest Forms Pro should prioritize this update. Beyond patching, maintaining regular backups, employing security plugins, and staying informed about newly disclosed vulnerabilities are crucial steps in fortifying WordPress websites against the ever-evolving threat landscape.