Everest Forms Pro Remote Code Execution Vulnerability via PHP Code Injection

A remote code execution vulnerability has been identified in the Everest Forms Pro plugin for WordPress, affecting all versions through 1.9.12. The issue arises in the Calculation Addon, where the process_filter() function improperly concatenates user-submitted form field values into a PHP code string. This concatenation occurs without adequate escaping before the code is evaluated with eval(). The applied sanitize_text_field() function fails to escape single quotes and other characters relevant to PHP code context. As a result, unauthenticated attackers can inject and execute arbitrary PHP code on the server. Exploitation involves submitting a crafted value in any string-type form field—such as text, email, URL, select, or radio—when the form utilizes the 'Complex Calculation' feature.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, create a form using the Everest Forms Pro plugin version 1.9.12 or earlier. Enable the 'Complex Calculation' feature and add a string-type field, such as text, email, URL, select, or radio. Submit the form with a crafted value that exploits the PHP code injection vulnerability. The injected PHP code will be executed on the server, demonstrating the remote code execution impact.

Remediation

Users are advised to update the Everest Forms Pro plugin to version 1.9.13 or a newer patched version.