Hackers are exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which allows them to take complete control of a WordPress website.
The security issue affects versions 1.9.12 and earlier of the plugin and can be used without authentication to inject malicious code into the server.
Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms.
CVE-2026-3300 Vulnerability in the Complex Calculation plugin feature, which accepts values submitted through form fields and inserts them into a string of PHP code. Then, it outputs the resulting code using PHP’s ‘eval()’ function.
While user input is passed through the ‘sanitize_text_field()’ function, you cannot escape single quotes (‘) or other characters that affect PHP syntax.
As a result, an attacker can hijack the target thread, inject arbitrary PHP code, and comment out the generated code to execute code execution on the server.
Telemetry data from the Wordfence firewall and WordPress malware scanner shows that the vulnerability is being exploited in the wild to create malicious administrator accounts.
“The attacker submits the value of a text field that starts with a single quote to close a literal wrapping string, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” explains a report from Wordfence.
“The trailing // comment tag ensures that all generated PHP code, including closing quotes, is treated as a comment and does not cause a syntax error.”
“When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and a malicious administrator account is created.”
Administrator-level access gives attackers full power to perform high-risk actions on a compromised website, including modifying content, installing plugins and themes, planting backdoors and web shells, and accessing private databases.
Researcher h0xilo posted the CVE-2026-3300 vulnerability through Wordfence in February, and on March 18, an Everest Forms developer released a patch addressing the issue.
According to Wordfence data, active exploitation began on April 13, when the firewall blocked more than 29,300 attempts.
Source: Wordfence
Wordfence says the exploit attempts mainly originate from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders to block them.
However, the Wordfence report provides several offending IP addresses as indicators of compromise (IOCs).
Website administrators are advised to review log files and administrator accounts for any suspicious activity, especially those containing the string “diksimarina.”
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
