Home · Live brief · Daily brief 2026-06-08
CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated eval() injection, actively exploited at scale
Part of run 2026-06-08-1a0ce644 (intel · Claude Opus 4.8)
A pre-authentication PHP code-injection (CVSS 9.8) in the Calculation Addon of the Everest Forms Pro plugin lets an unauthenticated visitor break out of a calculated form field and execute attacker-controlled PHP, the observed payload being creation of a rogue administrator account (Wordfence, 2026-06-06; BleepingComputer, 2026-06-06). The vendor patched it in v1.9.13 on 18 March 2026, but Wordfence telemetry shows mass exploitation running since 13 April (29,300+ blocked attempts, a single-day spike of 17,900 on 16 May, still active as of 6 June). Inclusion gate: vendor-confirmed in-the-wild exploitation at scale. Full mechanics, detection and hardening in § 5.
“A pre-authentication PHP code-injection (CVSS 9.8) in the Calculation Addon of the Everest Forms Pro plugin lets an unauthenticated visitor break out of a calculated form field and execute attacker-controlled PHP, the observed payload being creation of a rogue administrator account (Wordfence …” — ctipilot v2 brief (migrated)