Impact
The vulnerability allows an unauthenticated attacker to inject arbitrary PHP code by string‑type form field when the "Complex Calculation" feature is enabled. The plugin’s processing concatenates the unescaped input into a PHP code string and passes it to eval(), enabling the execution of attacker‑supplied code on the web server. This flaw, a CWE‑94 code injection vulnerability, directly compromises the confidentiality, integrity, and availability of the affected WordPress site, allowing full system takeover.
Affected Systems
Vulnerable installations of the WPEverest Everest Forms Pro WordPress plugin up to and including version 1.9.12 are affected. All WordPress sites that load any of these plugin versions and use the Complex Calculation feature in their forms are at risk. The impact is limited to installations running the specified plugin versions; newer releases are not impacted.
Risk and Exploitability
The CVSS base score of 9.8 indicates critical severity. The EPSS score of 41% indicates a higher likelihood that the vulnerability may be actively exploited, though it remains unlisted in the CISA KEV catalog. No authentication is required, and an attacker can submit data from any external source, making exploitation technically feasible; current exploitation activity is higher due to the EPSS figure, yet remains limited.
OpenCVE Enrichment