Critical Vulnerability in Everest Forms Pro Plugin Exploited by Hackers

Reports have surfaced indicating that hackers are actively taking advantage of a severe vulnerability (CVE-2026-3300) found in the Everest Forms Pro plugin. This vulnerability allows them to gain complete control over WordPress websites.

The vulnerability impacts versions 1.9.12 and earlier of the plugin and can be exploited without the need for authentication, enabling attackers to execute arbitrary code on the server.

Everest Forms Pro serves as a premium extension for the popular WordPress form builder plugin, Everest Forms, allowing users to create various types of forms such as contact forms, registration forms, payment forms, and custom application forms.

The vulnerability (CVE-2026-3300) resides in the plugin’s Complex Calculation feature, which processes values entered through form fields and incorporates them into a PHP code string. Subsequently, the code is executed using PHP’s ‘eval()’ function.

Despite the user input undergoing a ‘sanitize_text_field()’ function, this process fails to escape single quotes (‘) and other characters that can impact PHP syntax.

Exploiting this flaw allows attackers to inject arbitrary PHP code by closing the intended string, ultimately achieving code execution on the server.

Recent telemetry data from Wordfence’s firewall and malware scanner for WordPress indicates that the vulnerability is actively being exploited in the wild to create unauthorized administrator accounts.

According to Wordfence, the attacker manipulates a text field value by starting with a single quote to close the string literal, followed by a PHP statement that calls ‘wp_insert_user()’ to create a new administrator account with the username ‘diksimarina’.

The attacker ensures the injected PHP code executes successfully by adding a trailing // comment marker to treat the remaining code as a comment, preventing syntax errors.

By exploiting this vulnerability, the attacker gains administrator-level access, granting them full control over the compromised website. This includes the ability to modify content, install plugins and themes, plant backdoors and webshells, and access private databases.

The vulnerability (CVE-2026-3300) was reported by researcher h0xilo through Wordfence in February. Subsequently, on March 18, the developer of Everest Forms released a patch to address the issue.

Wordfence data indicates that active exploitation of the vulnerability commenced on April 13, with the firewall successfully blocking over 29,300 exploit attempts.

Wordfence recommends that defenders block two primary IP addresses, 202.56.2[.]126 and 209.146.60.26, from which most exploitation attempts originate.

Furthermore, the report provides several offending IP addresses as indicators of compromise (IOCs) for website administrators to review and act upon.

Website administrators are advised to monitor log files and administrator accounts for any suspicious activities, particularly those related to the username “diksimarina.”

Security teams detect only 14% of successful attacks, leaving the majority undetected. Discover how breach and attack simulation can enhance your security defenses.

Get the whitepaper