Critical Everest Forms Pro Bug Under Active Attack, Administrators Urged to Patch Now

Attackers are actively exploiting a critical remote code execution vulnerability in Everest Forms Pro, a commercial WordPress plugin with roughly 4,000 active installations. The flaw, tracked as CVE-2026-3300 and carrying a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary PHP code on a vulnerable server.

Wordfence telemetry data shows exploitation began on April 13, 2026, and has since led to over 29,300 blocked attack attempts. Two IP addresses, 202.56.2[.]126 and 209.146.60.26, are linked to the majority of the attacks.

How the Exploit Works

The vulnerability resides in the plugin's Complex Calculation feature. User input from form fields is passed through PHP's eval() function after sanitization with sanitize_text_field(). However, that function does not escape single quotes or other PHP syntax characters. An attacker can submit a value that starts with a single quote to close the wrapping string literal, inject arbitrary PHP code, and then use a // comment marker to silence the rest of the generated code. The injected code typically calls wp_insert_user() to create a rogue administrator account with the username diksimarina.

• All versions of Everest Forms Pro up to and including 1.9.12 are vulnerable.
• The flaw was initially reported to Wordfence by researcher h0xilo in February 2026.
• The plugin developer released a patched version on March 18, 2026.
• Attackers gain full administrator access, enabling them to modify content, install plugins, plant backdoors, and access private databases.
• Wordfence has published a list of additional offending IP addresses for defenders to block.

Wider Implications and Next Steps

The active exploitation of CVE-2026-3300 mirrors a pattern seen in recent WordPress plugin vulnerabilities such as those in Kirki and WP Maps Pro. Because Everest Forms Pro is used for contact, registration, and payment forms, many high-value sites are among the 4,000 installations. The exploit requires no authentication and can be triggered simply by submitting a crafted form field value.

Site administrators who use Everest Forms Pro should immediately verify they are running version 1.9.13 or later, released on March 18. Log files should be reviewed for the username diksimarina and any other suspicious admin accounts. The site should also be scanned for hidden backdoors and webshells. Wordfence and other security vendors are providing firewall rules that block the exploit payload. Organizations with higher security requirements may want to disable the Complex Calculation feature entirely until the patch is confirmed deployed.