← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-3300 · CWE-94 · Disclosed 2026-03-31

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in…

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded nail gun left on the porch, but only at houses that bought the add-on and left that exact tool plugged in

CVE-2026-3300 is a server-side PHP code injection bug in Everest Forms Pro for WordPress affecting all versions through 1.9.12, fixed in 1.9.13. Per Wordfence and NVD, attacker-controlled values from string-type form fields are concatenated into PHP code and passed to eval() inside the Calculation add-on flow, which can yield unauthenticated remote code execution when a form uses the Complex Calculation feature. The vulnerable condition is not just “plugin installed”; the exposed form has to actually use that calculation path.

The vendor/assigned 9.8 CRITICAL score is technically fair in a lab because this is no-auth, network-reachable RCE with full site compromise. In the field, though, the reachable population is materially narrower: you need the paid Pro plugin, a vulnerable version, and a publicly reachable form wired to Complex Calculation. That friction is real enough to downgrade from CRITICAL to HIGH, but not lower, because once the feature is exposed the attacker gets the whole WordPress box.

"Direct unauth RCE, but only on paid installs that actually expose Complex Calculation forms"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable Everest Forms target

An attacker uses commodity recon like httpx, wpscan, or plain web crawling to locate WordPress sites exposing Everest Forms endpoints or recognizable form markup. The practical objective is not merely finding the plugin family, but finding a public form likely tied to pricing, calculator, quote, booking, or other dynamic calculation logic.
Conditions required:
  • Target runs WordPress
  • Everest Forms Pro is installed at version <= 1.9.12
  • At least one vulnerable form is internet reachable
Where this breaks in practice:
  • Pro install base is smaller than the free plugin population
  • Internet-scale fingerprinting for the Pro calculation feature is weak
  • Many Everest deployments may not expose the specific calculation workflow publicly
Detection/coverage: External ASM and plugin fingerprinting can usually identify Everest Forms family exposure, but not reliably whether Complex Calculation is enabled. Scanner coverage for the exact feature gate is partial.
STEP 02

Send a crafted form submission

Using curl, Burp Repeater, or a trivial custom PoC derived from the Wordfence/NVD description, the attacker submits a malicious value in a string-type field such as text, email, URL, select, or radio. The payload is designed to break out of expected PHP string context during formula handling and inject executable PHP.
Conditions required:
  • Form accepts unauthenticated submissions
  • Form includes attacker-controllable string fields
  • Submission reaches the calculation processing path
Where this breaks in practice:
  • If the form is protected by login, IP allowlists, or not public, this path dies
  • If the form does not invoke Complex Calculation on submit, the bug is not reached
  • Bot controls and rate limits reduce mass scanning efficiency but do not fix the bug
Detection/coverage: WAFs can sometimes catch obvious PHP metacharacter payloads in POST bodies, but generic rules are inconsistent because the exploit rides a normal form submission.
STEP 03

Trigger unsafe eval in calculation processing

On the server, the vulnerable calculation flow concatenates submitted values into a PHP code string and hands it to eval(). At that moment the bug stops being a WordPress nuisance and becomes arbitrary server-side code execution in the PHP worker context.
Conditions required:
  • Vulnerable code path present
  • Input is not safely escaped for PHP code context
  • Form configuration invokes calculation parsing
Where this breaks in practice:
  • Patched version 1.9.13 removes the vulnerable state
  • Sites using a virtual patching rule may block the request before PHP executes it
Detection/coverage: Runtime evidence may show up as PHP-FPM/Apache errors, unusual POST bodies, or child-process activity, but many WordPress stacks have thin app logging. Traditional vuln scanners often flag only by version, not by proof of the feature being enabled.
STEP 04

Convert code execution into persistence

With PHP execution, the attacker can create an admin user, write a web shell, alter plugin files, steal database credentials, or pivot into the underlying host. Secondary reporting on June 4, 2026 claimed campaigns tried to create a rogue administrator account, but I could not verify a primary Wordfence incident post for that telemetry.
Conditions required:
  • Code execution succeeds
  • PHP worker has normal WordPress file/database access
Where this breaks in practice:
  • Immutable containers, read-only filesystems, or aggressive EDR on the host can limit persistence options
  • Some managed WordPress platforms restrict dangerous file writes
Detection/coverage: EDR on the host, WordPress file-integrity monitoring, new-admin-user alerts, and web-shell heuristics are the best detection layers after exploitation.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo CISA KEV listing found. I did not find a primary vendor or Wordfence incident post confirming exploitation. A secondary June 4, 2026 article on SecurityOnline claims Wordfence telemetry and blocked attempts; treat that as unverified until matched to a primary source.
Proof-of-concept availabilityPublic exploit detail is sufficient to weaponize with curl/Burp from the Wordfence/NVD description alone. Atomic Edge published a public PoC-style write-up on 2026-04-01.
EPSS0.00313 from the user-provided intel. A secondary Feedly view associated the CVE with roughly the 52nd percentile, which supports the read that this is dangerous when present but not currently a top mass-exploitation favorite.
KEV statusNot KEV-listed as of 2026-06-04.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is technically sound for the vulnerable path itself. The overstatement comes from deployment assumptions CVSS does not encode: Pro only and Complex Calculation form actually in use.
Affected versionsEverest Forms Pro <= 1.9.12 according to Wordfence, NVD, and Patchstack.
Fixed version1.9.13. Vendor changelog dates that release to 2026-03-24 and notes a generic 'Security issue' fix. There are no distro backports to track here; this is a WordPress plugin update problem.
Exposure populationThe free Everest Forms plugin advertises 100,000+ active WordPress websites on WordPress.org, but the Pro install base is not publicly counted there. Real exposure is therefore smaller than headline Everest numbers and narrower still because the exploit requires public Complex Calculation usage.
Feature gate that mattersVendor docs show the Calculations add-on is a distinct capability used for calculators, conditional math, and payment logic. If your estate uses Everest only for basic contact forms, this CVE often collapses from emergency to targeted cleanup.
Disclosure and researcherPublic disclosure landed around 2026-03-30/31 depending on source timezone. Wordfence credits the researcher as h0xilo / hoshino in its records.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.4/10)

The decisive factor is the feature gate: exploitation requires not just a vulnerable plugin version, but a publicly reachable form using Complex Calculation on a paid Pro deployment. That narrows the reachable population enough to move this out of blanket-CRITICAL territory, even though successful exploitation still yields full WordPress and likely host-level compromise.

HIGH Technical impact if the vulnerable path is reachable
MEDIUM Severity downgrade based on real-world exposure narrowing
LOW Claimed active exploitation telemetry from secondary reporting

Why this verdict

  • Downgrade: requires the paid Pro plugin rather than the broader free-plugin population, which materially shrinks the exposed enterprise set.
  • Downgrade: requires a specific workflow — a form must be publicly reachable and use the Complex Calculation feature, which is a real deployment filter, not edge-case trivia.
  • Still HIGH: no auth and full compromise — if the feature is exposed, the attacker can go straight from internet access to PHP execution and site takeover.

Why not higher?

I am not keeping this at CRITICAL because the attack path is narrower than the vendor CVSS implies in day-to-day enterprise reality. CVSS does not account for the fact that many Everest deployments are basic forms, not public calculator/payment logic backed by the vulnerable path, and I could not validate authoritative active-exploitation evidence.

Why not lower?

This is not MEDIUM because the bug is still unauthenticated remote code execution with server-side execution, not a post-auth admin bug or a local foothold issue. When the prerequisites are met, blast radius is immediate and severe: WordPress compromise, credential theft, persistent backdoor, and possible host pivot.

05 · Compensating Control

What to do — in priority order.

  1. Disable vulnerable calculation forms — If patching cannot happen immediately, take the exploit path away by disabling or unpublishing Everest Forms that use Complex Calculation, especially public quote, pricing, BMI, booking, and payment-style forms. For a HIGH verdict, deploy this compensating control within 30 days, and faster on any internet-facing business-critical site.
  2. Apply a virtual patch at the edge — Use a WAF or managed WordPress firewall rule to block suspicious POST bodies hitting Everest form submission endpoints, especially payloads containing PHP metacharacters or formula-breaking strings. This is mitigation, not cure; deploy within 30 days for HIGH, or sooner anywhere public forms are exposed.
  3. Hunt for post-exploit persistence — Review WordPress admin users, plugin/theme file integrity, unexpected wp-content/uploads PHP artifacts, and recent changes to forms/plugins. Do this immediately on internet-facing sites because this vulnerability, once hit, gives an attacker everything needed for quiet persistence.
  4. Restrict who can reach high-risk forms — Where business allows it, put sensitive calculator/order forms behind authentication, IP allowlists, or temporary geo/rate restrictions. This does not remove the vulnerability, but it cuts the unauthenticated attack surface while you work through patching; for HIGH, enforce within 30 days.
What doesn't work
  • MFA on wp-admin does not stop this exploit path because exploitation happens through the public form submission flow, not administrator login.
  • Version-only vulnerability scanning is not enough because it misses the key question: is Complex Calculation actually exposed on a public form?
  • CAPTCHA alone helps against noisy bots but does not eliminate a targeted exploit; a human or scripted solver can still submit the malicious request.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host from a shell that can access the site files and database via wp-cli. Example: sudo ./check_cve_2026_3300.sh /var/www/html. It needs read access to the WordPress install and enough privilege for wp plugin and wp db query; root is not strictly required if the web app owner account can run wp.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2026_3300.sh
# Detect likely exposure to CVE-2026-3300 on a WordPress host.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -euo pipefail

WP_PATH="${1:-}"
if [[ -z "$WP_PATH" ]]; then
  echo "Usage: $0 /path/to/wordpress"
  echo "UNKNOWN: missing WordPress path"
  exit 2
fi

if ! command -v wp >/dev/null 2>&1; then
  echo "UNKNOWN: wp-cli not found"
  exit 2
fi

if [[ ! -f "$WP_PATH/wp-config.php" ]]; then
  echo "UNKNOWN: wp-config.php not found at $WP_PATH"
  exit 2
fi

wp_safe() {
  wp --path="$WP_PATH" --skip-plugins --skip-themes "$@" 2>/dev/null
}

plugin_installed="no"
if wp_safe plugin is-installed everest-forms-pro; then
  plugin_installed="yes"
fi

if [[ "$plugin_installed" != "yes" ]]; then
  echo "PATCHED: Everest Forms Pro not installed"
  exit 0
fi

version="$(wp_safe plugin get everest-forms-pro --field=version || true)"
if [[ -z "$version" ]]; then
  echo "UNKNOWN: unable to determine everest-forms-pro version"
  exit 2
fi

version_le() {
  # returns 0 if $1 <= $2
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

if ! version_le "$version" "1.9.12"; then
  echo "PATCHED: everest-forms-pro version $version"
  exit 0
fi

# We know the installed version is vulnerable. Now try to determine whether
# the calculation feature is likely present/exposed.
plugin_list="$(wp --path="$WP_PATH" plugin list --format=csv 2>/dev/null || true)"
calc_plugin_hit="no"
if echo "$plugin_list" | grep -Eiq 'everest.*calc|calc.*everest'; then
  calc_plugin_hit="yes"
fi

# Search WordPress DB content for likely calculation/formula markers.
# This is intentionally heuristic because plugin internals and table names vary.
db_dump="$(wp --path="$WP_PATH" db export - --quiet 2>/dev/null | strings 2>/dev/null | grep -Eio 'enable_calculation|complex calculation|expression_field|formula is valid|calculations addon|if \(\$FIELD_|elseif\(\$FIELD_|endif;' | sort -u || true)"

if [[ "$calc_plugin_hit" == "yes" ]]; then
  echo "VULNERABLE: everest-forms-pro version $version with calculation-related plugin evidence"
  exit 1
fi

if [[ -n "$db_dump" ]]; then
  echo "VULNERABLE: everest-forms-pro version $version with calculation-related data found"
  exit 1
fi

# Vulnerable version present, but we could not prove whether Complex Calculation is enabled.
echo "UNKNOWN: everest-forms-pro version $version is vulnerable by version, but no calculation-feature evidence was found"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull an inventory of all WordPress estates running Everest Forms Pro and separate them into two buckets: public forms that use calculators/quotes/payment math and everything else. For this HIGH verdict, the noisgate mitigation SLA is ≤30 days, so disable/unpublish those calculation-driven forms or place an effective virtual patch in front of them inside that window; the noisgate remediation SLA is ≤180 days, so move every affected site to 1.9.13+ before then. If you confirm a public Complex Calculation form on an internet-facing site, treat that host as the priority set even though the global verdict is not CRITICAL.

Sources

  1. NVD CVE-2026-3300
  2. Wordfence advisory for Everest Forms Pro <= 1.9.12
  3. Everest Forms vendor changelog
  4. WordPress.org plugin page for Everest Forms
  5. Everest Forms documentation: Calculations
  6. Patchstack advisory
  7. Wordfence weekly report listing CVE-2026-3300
  8. SecurityOnline secondary report claiming exploitation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.