Back

Critical Everest Forms Pro Vulnerability Exploited in WordPress Attacks

Severity: High (Score: 72.8)

Sources: Infosecurity-Magazine, Bleepingcomputer

Published: 2026-06-06 · Updated: 2026-06-06

Keywords: wordpress, everest, forms, critical, vulnerability, exploited, take

Severity indicators: critical, vulnerability, flaw

Summary

A critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin is being actively exploited, allowing attackers to take control of WordPress sites. The flaw affects versions 1.9.12 and earlier, enabling unauthenticated users to execute arbitrary PHP code via the plugin's Complex Calculation feature. This vulnerability has a CVSS score of 9.8 and can lead to the creation of rogue administrator accounts. Active exploitation began on April 13, 2026, with over 29,300 attempts blocked by Wordfence. The vulnerability was reported by researcher h0xilo and patched by WPEverest on March 18, 2026. Administrators are urged to update to version 1.9.13 immediately to mitigate risks. Indicators of compromise include the username 'diksimarina' and specific IP addresses associated with the attacks. Key Points: • CVE-2026-3300 allows remote code execution on vulnerable WordPress sites. • Over 29,300 exploitation attempts have been blocked since April 13, 2026. • Administrators must update to version 1.9.13 to protect against this critical vulnerability.

Detailed Analysis

**Impact** Approximately 4,000 WordPress sites using Everest Forms Pro versions 1.9.12 and earlier are affected globally. Successful exploitation grants attackers full administrator privileges, enabling content modification, plugin installation, backdoor deployment, and database access. Over 29,300 exploit attempts have been blocked since April 13, with a significant surge on May 16. The vulnerability primarily impacts websites relying on custom forms for registration, payment, and other applications. **Technical Details** The vulnerability (CVE-2026-3300, CVSS 9.8) resides in the Complex Calculation feature of Everest Forms Pro, where user input is concatenated into PHP code executed via eval() without proper escaping of single quotes. Attackers inject PHP code by breaking out of the intended string, enabling remote code execution and creation of rogue administrator accounts, notably with the username "diksimarina." Exploitation began two weeks after public disclosure, with attacks originating mainly from IP addresses 202.56.2.126 and 209.146.60.26. Indicators include the username "diksimarina," the email [email protected], and the listed IPs. **Recommended Response** Immediately update Everest Forms Pro to version 1.9.13 or later to patch the vulnerability. Block and monitor traffic from IPs 202.56.2.126 and 209.146.60.26 and search logs for the username "diksimarina" and associated email addresses. Review administrator accounts and website logs for unauthorized changes or suspicious activity. Harden detection rules in SIEM and EDR solutions to identify attempts to exploit PHP eval() injection in form inputs.

Source articles (2)

  • Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites — Infosecurity-Magazine · 2026-06-04
    A critical vulnerability in the Everest Forms Pro plugin for WordPress has been actively exploited to hijack vulnerable websites. According to new analysis from WordPress security firm Wordfence, the…
  • Critical Everest Forms Pro flaw exploited to take over WordPress sites — Bleepingcomputer · 2026-06-06
    Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. The security issue affects versi…

Timeline

  • 2026-03-18 — Patch released for CVE-2026-3300: WPEverest released version 1.9.13 to address the critical vulnerability in Everest Forms Pro.
  • 2026-03-31 — CVE-2026-3300 published: The critical vulnerability in Everest Forms Pro was officially published, affecting versions up to 1.9.12.
  • 2026-04-13 — Active exploitation begins: Wordfence reported that exploitation of the CVE-2026-3300 vulnerability started, with significant attack attempts recorded.
  • 2026-05-16 — Surge in exploitation attempts: A single day saw over 17,900 blocked attempts related to the Everest Forms Pro vulnerability.
  • 2026-06-05 — First public PoC released: The first proof of concept for CVE-2026-3300 was made public, increasing the risk of exploitation.

CVEs

  • CVE-2026-3300

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • CWE-94 - Code Injection (Cwe)
  • gmail.com (Domain)
  • [email protected] (Email)
  • 202.56.2.126 (Ipv4)
  • 209.146.60.26 (Ipv4)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • PHP (Platform)
  • WordPress (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed