ctipilot.ch

Home · Live brief · Daily brief 2026-06-08

CVE-2026-3300: unauthenticated eval() injection in a commercial WordPress plugin, and the patch-lag that turned a March fix into a June mass-exploitation campaign

notable vulnerability discovered 2026-06-08 05:00 UTC deep dive

Part of run 2026-06-08-1a0ce644 (intel · Claude Opus 4.8)

Why this is the deep dive now. CVE-2026-3300 is a textbook web-app RCE that matters less for its novelty than for what it shows about patch lag in the commercial-plugin supply chain: the vendor fixed it on 18 March 2026, yet Wordfence has logged sustained mass exploitation from 13 April through at least 6 June, with a single-day peak of 17,900 blocked attempts on 16 May (Wordfence, 2026-06-06). WordPress underpins a large share of cantonal, municipal and agency web estates, so any public-sector site still running Everest Forms Pro ≤ 1.9.12 is exposed to a fully unauthenticated site takeover today — the patch existing for three months does not help a site that never applied it.

The bug. The vulnerability lives in the process_filter() function of the plugin's Calculation Addon, which builds a PHP expression string from user-submitted form-field values and evaluates it with eval() (BleepingComputer, 2026-06-06). The only input handling applied is sanitize_text_field(), which strips tags and normalises whitespace but does not escape single quotes or PHP syntax metacharacters. An unauthenticated attacker who submits a form containing a calculation field can therefore inject a single quote to terminate the intended string literal, append arbitrary PHP, and comment out the trailing remainder of the generated expression with //. Because the sink is eval(), this is direct code execution in the WordPress PHP context — no file write, no upload, no authentication. The CVE prerequisite is narrow but common: the form must include the Calculation Addon. Affected versions are ≤ 1.9.12; fixed in 1.9.13. The flaw was credited to researcher h0xilo (BleepingComputer, 2026-06-06).

Observed exploitation chain. The dominant in-the-wild payload uses the code-execution primitive to call WordPress's own wp_insert_user() and create a rogue account with the administrator role — converting a single unauthenticated POST into persistent privileged access to the site, from which attackers typically install webshells, SEO-spam injectors or redirect malware. Mapped to MITRE ATT&CK: initial access via T1190 Exploit Public-Facing Application; execution of injected PHP via T1059 Command and Scripting Interpreter; persistence by T1136 Create Account, after which the attacker operates with T1078 Valid Accounts.

Detection concepts (no IOCs). The highest-fidelity signal is unexpected administrator-account creation: hunt WordPress user_register events that assign the administrator role, and reconcile the live admin-user list against a known-good baseline — any account you cannot attribute to a person or process is suspect. At the request layer, alert on POSTs to the form-handling endpoints (admin-ajax.php and the plugin's AJAX actions) whose parameters contain PHP-syntax artefacts such as stray single quotes followed by function-call tokens or trailing // comment markers. Post-exploitation, watch for new or modified PHP files in wp-content/ and for outbound requests from the web host that correlate with webshell or SEO-spam behaviour. These are behavioural concepts, not signatures — tune to your own form traffic.

Hardening. Update Everest Forms Pro to 1.9.13 or later immediately; if you cannot patch on the spot, disable the Calculation Addon (the vulnerable code path) or take affected forms offline, and audit for already-created rogue admin accounts before re-enabling. A WAF rule blocking PHP-metacharacter patterns in form-submission parameters is a reasonable compensating control, but it is mitigation, not a fix. More broadly, this CVE is an argument for maintaining an inventory of commercial plugins and their versions across your WordPress estate and wiring plugin-update monitoring into change management — the recurring failure mode here is not the vulnerability class but the months-long gap between a vendor fix and its deployment.

“Why this is the deep dive now.” — ctipilot v2 brief (migrated)

Action items

  • Patch Everest Forms Pro to 1.9.13+ today if you run it (. Unauthenticated, actively exploited at scale. If you cannot patch immediately, disable the Calculation Addon and audit the WordPress admin-user list for rogue accounts created since mid-April before re-enabling.
vulnerabilities actively-exploited rce pre-auth global CVE-2026-3300