WordPress Sites Compromised via Everest Forms Pro Vulnerability
Hackers are exploiting a critical vulnerability in the Everest Forms Pro plugin for WordPress (CVE-2026-3300), allowing them to execute arbitrary code on affected servers. This flaw is being used to create rogue administrator accounts, giving attackers full control over compromised websites. Wordfence data shows active exploitation since April 13, with numerous attempts blocked by their firewall. Website administrators should immediately update the plugin and review logs for suspicious activities.
Summary
A critical vulnerability in the Everest Forms Pro plugin (CVE-2026-3300) has been actively exploited by hackers to take over WordPress sites. The flaw resides in the Complex Calculation feature of the plugin, which improperly handles user input, allowing attackers to inject and execute arbitrary PHP code on the server. This capability enables attackers to create rogue administrator accounts with full control over compromised websites. Wordfence firewall data indicates that exploitation attempts began on April 13, primarily originating from two IP addresses.
What Happened
The Everest Forms Pro plugin for WordPress, used to build complex forms like contact and payment forms, has a critical vulnerability in its Complex Calculation feature. This flaw allows unauthenticated attackers to inject arbitrary PHP code into the server by exploiting improper input handling. The vulnerability arises because user-submitted form field values are concatenated into a PHP code string without proper escaping before being passed to the eval() function.
How the Attack Works
Attackers exploit this vulnerability by submitting a crafted value in any string-type form field (text, email, URL, select, radio) that uses the Complex Calculation feature. The input is processed through a sanitize_text_field() function, which fails to escape single quotes or other PHP syntax characters. This oversight allows attackers to close the intended string and inject malicious code.
The injected code often creates a new administrator account with a specific username, such as "diksimarina," by calling the wp_insert_user() function. The trailing comment marker (//) ensures that any remaining generated PHP code is treated as a comment, preventing syntax errors. When the form is processed, the malicious code executes, granting attackers administrative access.
Technical Details
The vulnerability exists in all versions of Everest Forms Pro up to and including 1.9.12. It specifically affects the process_filter() function within the Calculation Addon, which concatenates user-submitted values into a PHP string without proper escaping. The official description from Wordfence provides further technical insights:
"The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters."
This flaw allows attackers to execute arbitrary PHP code on the server, leading to full administrative control over the compromised WordPress site.
Affected Products and Fixed Versions
- Product: Everest Forms Pro
- Affected Versions: All versions up to and including 1.9.12
- Fixed Version: 3.4.8 (released on May 27, 2026)
Website administrators should update their plugin to version 3.4.8 or later to mitigate this vulnerability.
Exploitation Status
The CVE-2026-3300 vulnerability is actively exploited in the wild. Wordfence telemetry data shows that exploitation attempts began on April 13, with over 29,300 blocked attempts by their firewall. The primary sources of these attempts are two IP addresses: 202.56.2[.]126 and 209.146.60.26.
Indicators of Compromise
-
Offending IP Addresses:
202.56.2[.]126209.146.60.26
-
Suspicious Administrator Accounts:
- Review logs for accounts with usernames containing "diksimarina."
Detection Opportunities
Security teams can detect exploitation attempts by monitoring firewall logs for connections from the identified IP addresses and reviewing WordPress admin logs for suspicious activities, particularly the creation of new administrator accounts.
Defender Guidance
- Update Immediately: Ensure that Everest Forms Pro is updated to version 3.4.8 or later.
- Review Logs: Examine WordPress log files for any signs of unauthorized access or account creation attempts.
- Block Offending IPs: Implement firewall rules to block connections from the identified IP addresses.
- Audit Admin Accounts: Check for and remove any suspicious administrator accounts, especially those with usernames containing "diksimarina."
What Remains Unclear
While the exploitation method is well-documented, specific details about the full scope of affected WordPress sites and the total number of compromised instances remain unclear. Further investigation by security teams may reveal more about the extent of this vulnerability's impact.
Hashtags: #h4rithd, #news, #HarithDilshan, #WordPress, #EverestFormsPro, CVE-2026-3300
Sources:
- BleepingComputer - Critical Everest Forms Pro flaw exploited to take over WordPress sites
- Wordfence Threat Intel - CVE-2026-3300
- WordPress Plugin Trac - Everest Forms Code Review
- Everest Forms Changelog
- Wordfence Blog - Attackers actively exploiting critical vulnerability in Everest Forms Pro plugin
Sources
- https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/389c0b89-e408-4ad5-9723-a16b745771f0?source=cve
- https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/class-evf-form-task.php#L584
- https://everestforms.net/changelog/
- https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
