—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution vulnerability in Everest Forms Pro plugin of WordPress

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Everest Forms Pro WordPress plugin versions prior to 1.9.13

Overview

A vulnerability has been reported in the Everest Forms Pro plugin for WordPress which could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Target Audience:

All end user organizations and individuals using Everest Forms Pro plugin for WordPress.

Risk Assessment:

High risk of unauthenticated arbitrary code execution, unauthorized administrative access, and service disruption.

Impact Assessment:

Potential for complete compromise of website.

Description

Everest Forms Pro is a WordPress plugin used to create contact forms, registration forms, payment forms, surveys, and other custom forms.

A critical vulnerability exists in the Everest Forms Pro plugin due to improper input sanitization. An attacker could exploit this vulnerability by sending crafted form inputs when the Complex Calculation feature is enabled.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary PHP code on the targeted system.

Note: The vulnerability (CVE-2026-3300) is being actively exploited in the wild.

Solution

Apply appropriate fix/patches as mentioned:

https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/

Vendor Information

Everest Forms

https://everestforms.net/

References

 

https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/

CVE Name

CVE-2026-3300

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoruvYACgkQ3jCgcSdc

ys9qjQ/9F7wIcTjhlBiXMVU+1TRvKO80BtngCytCBMxqaryjOr6eLqccJcDXiNA+

A1FAc1ojEXfpMwZwS+MxzTFzGMeUjokqqRi/yJudwFrGHWMo43WgT+Mhr/4v2iAY

wLbQVB2QNnpEnegEGjZV11OIhwpLrJZmSOKCmi30yUIbCDYZmd9PwawU2Zsy38S7

Z3HxIUYykmSvZrH4j5+XMABoM16ZlXtd7AjXnzMx4CSLZ8tIEIpoV1JilIiC5kSX

bWjJM9IuSnjMMYBYYCM/sNAzohOjbIdKx7UgQxJ4nRIkVWWIorjueo4d/CcyKYy3

KVnFo2dMvnnWU9aOCvMaKhTKFEYjL7KX/k33MbOIjnFtUqo3kBNBdWIYTMtfM0QF

WrcUQCjEdOEaiQ5m3fLvH8OXH+ZlK314N2gnsSQXss92zJTmjS2uPNYlPVqrnZp8

vBmYbxCnu41GdudFxztZWXpDnZp1CoHzNL8SpUrJJjmyg2ujkA+GVkSYxPtD7hhT

TJJvf3bEiZmfRfXu3jonANofwOenP8Kg8jUY/VkbOTZjIgZ0eYCLosJ+/EQGybDh

08wKDwloEvNKRnMliT89ZoMalTcAI4BCI6DWPCExc0TJa9XLticOEvC73wCzhcHZ

UziOj2L/XnlOlSLbIQbJHzvCxo5xWS0VhWgBgM7l1ks9qls7oBU=

=aCkW

—–END PGP SIGNATURE—–