{
    "@context": "https://schema.org",
    "@type": "NewsArticle",
    "@id": "https://hostdir.net/blog/critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now",
    "headline": "Critical Everest Forms Pro Bug Under Active Attack, Administrators Urged to Patch Now",
    "alternativeHeadline": "CVE-2026-3300 allows unauthenticated remote code execution; attackers are creating rogue admin accounts on vulnerable WordPress sites.",
    "url": "https://hostdir.net/blog/critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now",
    "datePublished": "2026-06-09T12:44:00+00:00",
    "dateModified": "2026-06-09T15:07:34+00:00",
    "author": {
        "@type": "Organization",
        "name": "HostDir News Desk",
        "url": "https://hostdir.net"
    },
    "publisher": {
        "@type": "Organization",
        "name": "HostDir",
        "url": "https://hostdir.net",
        "logo": {
            "@type": "ImageObject",
            "url": "https://hostdir.net/assets/logo.svg"
        }
    },
    "image": "https://hostdir.net/uploads/news/3cbdeb330173fcf1.webp",
    "description": "A critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin is being actively exploited. Attackers use the flaw to create admin accounts and take full control of sites. About 4,000 installations are at risk.",
    "articleSection": "Security",
    "articleBody": "Attackers are actively exploiting a critical remote code execution vulnerability in Everest Forms Pro, a commercial WordPress plugin with roughly 4,000 active installations. The flaw, tracked as CVE-2026-3300 and carrying a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary PHP code on a vulnerable server.Wordfence telemetry data shows exploitation began on April 13, 2026, and has since led to over 29,300 blocked attack attempts. Two IP addresses, 202.56.2[.]126 and 209.146.60.26, are linked to the majority of the attacks.How the Exploit WorksThe vulnerability resides in the plugin's Complex Calculation feature. User input from form fields is passed through PHP's eval() function after sanitization with sanitize_text_field(). However, that function does not escape single quotes or other PHP syntax characters. An attacker can submit a value that starts with a single quote to close the wrapping string literal, inject arbitrary PHP code, and then use a // comment marker to silence the rest of the generated code. The injected code typically calls wp_insert_user() to create a rogue administrator account with the username diksimarina.All versions of Everest Forms Pro up to and including 1.9.12 are vulnerable.The flaw was initially reported to Wordfence by researcher h0xilo in February 2026.The plugin developer released a patched version on March 18, 2026.Attackers gain full administrator access, enabling them to modify content, install plugins, plant backdoors, and access private databases.Wordfence has published a list of additional offending IP addresses for defenders to block.Wider Implications and Next StepsThe active exploitation of CVE-2026-3300 mirrors a pattern seen in recent WordPress plugin vulnerabilities such as those in Kirki and WP Maps Pro. Because Everest Forms Pro is used for contact, registration, and payment forms, many high-value sites are among the 4,000 installations. The exploit requires no authentication and can be triggered simply by submitting a crafted form field value.Site administrators who use Everest Forms Pro should immediately verify they are running version 1.9.13 or later, released on March 18. Log files should be reviewed for the username diksimarina and any other suspicious admin accounts. The site should also be scanned for hidden backdoors and webshells. Wordfence and other security vendors are providing firewall rules that block the exploit payload. Organizations with higher security requirements may want to disable the Complex Calculation feature entirely until the patch is confirmed deployed.",
    "mainEntityOfPage": "https://hostdir.net/blog/critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now",
    "license": "https://creativecommons.org/licenses/by/4.0/",
    "citation": [
        {
            "@type": "CreativeWork",
            "name": "Critical Everest Forms Pro flaw exploited to take over WordPress sites",
            "url": "https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/"
        },
        {
            "@type": "CreativeWork",
            "name": "Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites",
            "url": "https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html"
        }
    ],
    "_hostdir": {
        "kind": "news-article",
        "slug": "critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now",
        "canonical": "https://hostdir.net/blog/critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now",
        "category": "security",
        "sources": [
            {
                "url": "https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/",
                "title": "Critical Everest Forms Pro flaw exploited to take over WordPress sites",
                "source_name": "BleepingComputer",
                "source_slug": "bleeping-computer"
            },
            {
                "url": "https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html",
                "title": "Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites",
                "source_name": "The Hacker News",
                "source_slug": "hacker-news"
            }
        ],
        "fact_checks": [
            {
                "claim": "The vulnerability CVE-2026-3300 affects Everest Forms Pro versions up to and including 1.9.12 and carries a CVSS score of 9.8.",
                "source_url": "https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html",
                "verdict": "verified"
            },
            {
                "claim": "Wordfence has blocked over 29,300 exploit attempts since April 13, 2026.",
                "source_url": "https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/",
                "verdict": "reported"
            },
            {
                "claim": "Attackers create a rogue admin account with the username 'diksimarina'.",
                "source_url": "https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/",
                "verdict": "reported"
            },
            {
                "claim": "The vulnerability allows unauthenticated remote code execution via the Complex Calculation feature.",
                "source_url": "https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/",
                "verdict": "verified"
            },
            {
                "claim": "Roughly 4,000 sites have Everest Forms Pro installed.",
                "source_url": "https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html",
                "verdict": "reported"
            }
        ],
        "internal_links": [
            {
                "anchor": "create",
                "target_url": "/providers/create",
                "target_kind": "provider"
            }
        ],
        "license": "CC BY 4.0",
        "license_url": "https://creativecommons.org/licenses/by/4.0/",
        "attribution": "HostDir News Desk — https://hostdir.net/blog/critical-everest-forms-pro-bug-under-active-attack-administrators-urged-to-patch-now"
    }
}