Everest Forms Pro (WordPress) unauthenticated eval() RCE — actively exploited at scale

cve · CVE-2026-3300

Coverage timeline

first 2026-06-08 → last 2026-06-08

Briefs

1 distinct

Sources cited

4 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-08CTI Daily Brief — 2026-06-08
trending_vulnsFirst coverage + deep dive (§5). CVSS 9.8 pre-auth PHP eval() injection in Calculation Addon; mass exploitation since 2026-04-13 despite 2026-03-18 patch; rogue admin creation. Category web-app-rce.

Where this entity is cited

trending_vulns1

Source distribution

bleepingcomputer.com2 (40%)
thehackernews.com1 (20%)
wordfence.com1 (20%)
threatfabric.com1 (20%)

Related entities

WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)
campaigncampaign:wordpress-steam-profile-c2-unicode-steganography×1

External references

NVD · cve.org · CISA KEV

All cited sources (5)

Items in briefs about Everest Forms Pro (WordPress) unauthenticated eval() RCE — actively exploited at scale (1)

CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated `eval()` injection, actively exploited at scale

From CTI Daily Brief — 2026-06-08 · published 2026-06-08 · view item permalink →

A pre-authentication PHP code-injection (CVSS 9.8) in the Calculation Addon of the Everest Forms Pro plugin lets an unauthenticated visitor break out of a calculated form field and execute attacker-controlled PHP, the observed payload being creation of a rogue administrator account (Wordfence, 2026-06-06; BleepingComputer, 2026-06-06). The vendor patched it in v1.9.13 on 18 March 2026, but Wordfence telemetry shows mass exploitation running since 13 April (29,300+ blocked attempts, a single-day spike of 17,900 on 16 May, still active as of 6 June). Inclusion gate: vendor-confirmed in-the-wild exploitation at scale. Full mechanics, detection and hardening in § 5.