Critical Everest Forms Pro flaw exploited to take over WordPress sites

Summary

Hackers are actively exploiting a critical vulnerability, CVE-2026-3300, in the Everest Forms Pro WordPress plugin. The flaw allows unauthenticated attackers to execute arbitrary PHP code, leading to complete website takeover and the creation of rogue administrator accounts. The vulnerability was patched in version 1.9.13, but exploitation began shortly after.

Full text

Critical Everest Forms Pro flaw exploited to take over WordPress sites By Bill Toulas June 6, 2026 10:09 AM 0 Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. The security issue affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server. Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms. The CVE-2026-3300 vulnerability is in the plugin’s Complex Calculation feature, which accepts values submitted through form fields and inserts them into a PHP code string. Then, it executes the resulting code using PHP’s ‘eval ()’ function. Although user input is passed through a ‘sanitize_text_field()’ function, which does not escape single quotes (') or other characters that influence PHP syntax. As a result, an attacker can close the intended string, inject arbitrary PHP code, and comment out the remaining generated code to achieve code execution on the server. Telemetry data from Wordfence firewall and malware scanner for WordPress shows that the vulnerability is being exploited in the wild to create rogue administrator accounts. “The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina’,” explains a report from Wordfence. “The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.” Administrator-level access gives attackers full power to perform high-risk actions on the breached website, including modifying content, installing plugins and themes, planting backdoors and webshells, and accessing private databases. Researcher h0xilo submitted the CVE-2026-3300 vulnerability through Wordfence in February, and on March 18, the Everest Forms developer released a patch that addresses the issue. According to Wordfence data, active exploitation started on April 13, with the firewall blocking over 29,300 attempts. Exploitation volumeSource: Wordfence Wordfence says exploitation attempts originate primarily from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders block them. However, Wordfence's report provides several offending IP addresses as indicators of compromise (IOCs). Website administrators are also recommended to review log files and administrator accounts for any suspicious activity, especially containing the string “diksimarina.” Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Critical Kirki flaw exploited to hijack WordPress admin accountsWP Maps Pro bug exploited to create admin accounts on WordPress sitesHackers exploit auth bypass flaw in Burst Statistics WordPress pluginHackers exploit file upload bug in Breeze Cache WordPress pluginHackers exploit critical flaw in Ninja Forms WordPress plugin

Indicators of Compromise

• ip — 209.146.60.26
• cve — CVE-2026-3300
• ip — 202.56.2.126
• malware — rogue administrator accounts
• malware — diksimarina

Entities