Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website.
The security issue affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server.
Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms.
The CVE-2026-3300 vulnerability is in the plugin’s Complex Calculation feature, which accepts values submitted through form fields and inserts them into a PHP code string. Then, it executes the resulting code using PHP’s ‘eval ()’ function.
Although user input is passed through a ‘sanitize_text_field()’ function, which does not escape single quotes (') or other characters that influence PHP syntax.
