TechOptima Ignite
TechOptima Solutions (636) 777-7702

PHP / Everest Forms Pro RCE

June 9, 2026

Unauthenticated remote code execution via eval() in WordPress Everest Forms Pro “Complex Calculation” feature.

Wordfence disclosed a critical remote-code-execution vulnerability in the Everest Forms Pro WordPress plugin. The plugin’s process_filter() function concatenates user-supplied form field values into a PHP string and passes it to eval(). Although sanitizetextfield is applied, it does not escape single quotes or other PHP-significant characters.

An unauthenticated attacker can submit a string containing a single quote, malicious PHP code, and a comment marker. This breaks out of the string literal and injects code that is later executed by eval(). Observed payloads create a new administrator account (username “diksimarina”) and enable full site compromise via webshells or further backdoors.

Steve uses this incident to illustrate why he isolates any PHP-based services (XenForo, NeuvoMail) on separate networks. While secure PHP is theoretically possible, the language makes it unusually easy for typical developers to introduce catastrophic flaws by treating user input as executable code.

Tags: SECURITY | UCE | WORDPRESS

Source: sn-1082-notes.pdf

← Back to Blog