EUVD-2026-17275CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the "Complex Calculation" feature.
Analysis
Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WordPress installations using Everest Forms Pro ≤1.9.12 via plugin inventory audit; disable or deactivate the plugin immediately across all affected systems. Within 7 days: Contact Everest Forms vendor for patch availability status and timeline; evaluate alternative form plugins for migration. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today