05 June 2026
Reference: CVE-2026-3300
1. What is being reported?
The Everest Forms Pro plugin has a flaw in how it handles certain form inputs when using its 'Complex Calculation' feature. It does not properly check or clean user-submitted data before running it as code, which means attackers can send specially crafted information to make the website run malicious commands.
2. What this means in plain English
If your website uses this plugin and the vulnerable feature, hackers could take over your site, steal data, or cause damage. This is especially risky because attackers do not need to be logged in to exploit this flaw.
3. Could this affect a small business?
Small businesses or organisations using WordPress with the Everest Forms Pro plugin version 1.9.12 or earlier, and who use the 'Complex Calculation' feature, could be affected. If you do not use this plugin or this feature, you are unlikely to be impacted.
4. What to do now
- Check if your website uses the Everest Forms Pro plugin and identify its version.
- If you use the plugin, ask your IT provider or website manager to update it to a safe version as soon as an official fix is available.
- If an update is not yet available, consider disabling the 'Complex Calculation' feature or the plugin until it is fixed.
- Monitor your website for any unusual activity and ensure regular backups are in place.
5. Ask your IT provider
Can you confirm if our WordPress site uses the Everest Forms Pro plugin version 1.9.12 or earlier, and if so, have you applied any updates or mitigations for the recent critical security vulnerability?
6. Bottom line
If you use Everest Forms Pro with calculation features on your website, act quickly to update or disable it to prevent hackers from taking over your site.
Information based on CISA KEV, NVD, and reputable security reporting.