CVE-2026-3300 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 31, 2026
Everest Forms Pro - Remote Code Execution
Published: March 31, 2026Updated: March 31, 2026Remote Exploitable
Overview
Everest Forms Pro plugin for WordPress <= 1.9.12 contains a remote code execution caused by improper escaping of user-submitted form field values in the Calculation Addon's process_filter() function, letting unauthenticated attackers execute arbitrary PHP code via crafted input in string-type form fields when using the Complex Calculation feature.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
Mitigation
Update to the latest version of Everest Forms Pro plugin.
References
Related Resources
Details
- CVE ID
- CVE-2026-3300
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H