Hackers are actively exploiting a critical flaw in Everest Forms Pro, a WordPress plugin, to take complete control of affected sites. The vulnerability, tracked as CVE-2026-3300, affects version 1.9.12 and earlier and can be used without authentication to run code on the server.
KEY FACTS
- Plugin affected Everest Forms Pro, a commercial add-on for the WordPress form builder plugin Everest Forms.
- Weakness The Complex Calculation feature inserts form input into PHP code and runs it with eval().
- Impact Attackers can inject PHP code and create rogue administrator accounts.
- Patch The developer released a fix on March 18.
- Activity Wordfence said it blocked more than 29,300 exploitation attempts starting April 13.
A technical analysis from Wordfence says the flaw stems from the plugin’s Complex Calculation feature, which accepts form field values and places them into a PHP code string before running the result with eval(). Although the input is passed through sanitize_text_field(), the function does not escape single quotes.
That allows an attacker to close the intended string, inject arbitrary PHP, and comment out the rest of the generated code. Wordfence said one observed attack used this method to call wp_insert_user() and create an administrator account with the username diksimarina.
The report says exploitation began on April 13 and appears to come mainly from two IP addresses, 202.56.2[.]126 and 209.146.60.26. It also says administrators should review logs and user accounts for suspicious activity, including entries containing the string diksimarina.
Researcher h0xilo reported CVE-2026-3300 through Wordfence in February. The developer released a patch on March 18, but the issue remains under active attack against unpatched sites.
WHY IT MATTERS
Administrator access can let attackers change site content, install plugins and themes, plant backdoors, and reach private databases. Website operators running older versions of the plugin face risk unless they update and check for signs of compromise.