Impact statement: CVE-2026-3300 is a critical Everest Forms Pro vulnerability affecting WordPress sites running Everest Forms Pro 1.9.12 or older. Patchstack rates it CVSS 10, Wordfence rates it 9.8 Critical, and both sources describe it as an unauthenticated remote code execution risk tied to the Pro calculation feature. If a customer site uses Everest Forms Pro, verify the version now and update to 1.9.13 or newer.
This matters for hosting providers, web agencies, WooCommerce shops, lead-generation sites, nonprofits, schools, and any business that lets public visitors submit forms. Form plugins sit directly on the public side of WordPress. When a form plugin has a critical server-side execution flaw, the risk is not just spam or a broken contact form. The risk can become full WordPress compromise under the web server account.
Who Is Affected
Check any WordPress site that has Everest Forms Pro installed, especially sites with public forms, quote forms, registration forms, intake forms, payment forms, booking forms, or forms using calculated totals.
| Software | Affected versions | Fixed version | Priority |
|---|---|---|---|
| Everest Forms Pro | 1.9.12 and older | 1.9.13 or newer | Critical |
The free Everest Forms plugin may still appear in WordPress plugin inventory because Pro features often depend on the base plugin. The urgent item here is the Pro package and whether a vulnerable Pro build is active on the site.
What To Patch
Update Everest Forms Pro to 1.9.13 or newer. If your license dashboard, agency update tool, or managed WordPress platform shows a newer stable release, use that newer release. Do not leave old Pro files active just because the public form still appears to work.
If the site cannot be updated immediately, disable Everest Forms Pro or disable the affected public forms until the update can be tested and installed. For business-critical forms, create a temporary safe replacement form or route the page to a plain contact method during the maintenance window.
Safe Version Checks
Use these commands only on WordPress sites you own, manage, or are authorized to support. They are inventory and maintenance checks, not vulnerability tests.
wp plugin list | grep -i everest
wp plugin status everest-forms
wp plugin status everest-forms-pro
If WP-CLI is not available, check the WordPress dashboard under Plugins, then confirm the Pro version from the vendor account or plugin details screen. Premium plugin updates may not always arrive through the normal WordPress.org update flow.
Patch Checklist
- Back up first. Take a file and database backup before changing a production WordPress form plugin.
- Inventory forms. Identify contact, quote, registration, booking, checkout-adjacent, and calculated-total forms.
- Update Everest Forms Pro. Install 1.9.13 or newer from the trusted vendor channel.
- Clear caches. Clear WordPress cache, page cache, CDN cache, object cache, and PHP opcache where used.
- Test normal form flow. Submit a normal test entry, confirm email delivery, confirm CRM/webhook delivery if used, and verify payment or booking handoffs if the form supports them.
- Review access. Confirm only trusted users can edit forms, install plugins, or change form calculations.
If You Cannot Patch Today
Take the public risk off the table while you schedule the update.
- Disable Everest Forms Pro temporarily.
- Disable public forms that rely on Pro calculations.
- Restrict form pages to logged-in staff or trusted networks if the site can tolerate it.
- Use a temporary static contact page, phone number, helpdesk mailbox, or safer form replacement.
- Ask the hosting provider or CDN/WAF team to watch public form activity while patching is planned.
Logs And Files To Review
If the site was running Everest Forms Pro 1.9.12 or older with public forms, review it like a potentially exposed WordPress application.
- WordPress administrator users, recently created users, role changes, and password resets.
- Plugin and theme files changed around the disclosure window and after unusual form traffic.
- Upload directories, cache directories, and temporary directories for unexpected executable files.
- Form entry logs for sudden spikes, odd entries, repeated failed submissions, or submissions from unusual countries or networks.
- Web server access logs for unusual POST volume to form pages.
- Scheduled tasks, mu-plugins, and recently modified PHP files.
Hosting Provider Notes
For managed WordPress fleets, search plugin inventory for Everest Forms Pro and prioritize sites that accept public form submissions. If customers self-manage plugins, send a short notice that asks them to update Everest Forms Pro to 1.9.13 or newer, temporarily disable vulnerable forms if they cannot update, and request help if they are unsure whether Pro is installed.
CDN and WAF teams should treat this as a form-abuse monitoring item while the real fix is applied in WordPress. Challenge or rate-limit suspicious form traffic where appropriate, but do not rely on edge filtering as the permanent fix. The permanent fix is the vendor update or removal of the vulnerable Pro plugin.
Customer Notice Template
Plain-English version: Everest Forms Pro has a critical security update. If your site uses Everest Forms Pro 1.9.12 or older, update to 1.9.13 or newer. If you cannot update today, disable the affected public forms until the update is installed. After patching, test normal form submissions and review users, plugin files, upload folders, and recent form activity.
Fix I.T. Phill Guidance
Do not wait because this is “only a form plugin.” Form plugins are public entry points. If Everest Forms Pro is active, patch it, confirm the Pro version, clear caches, and review the site for signs of compromise. On shared hosting, one abandoned WordPress install with a vulnerable form plugin can become a much bigger cleanup problem later.
