Critical Vulnerability Exposes WordPress Websites to Exploitation
A significant vulnerability in the Everest Forms Pro plugin for WordPress has raised alarms, as it is being actively exploited to hijack websites that have not updated their systems. This vulnerability, identified as CVE-2026-3300, allows unauthenticated attackers to execute remote code on affected servers, compromising their operation and security.
The issue was highlighted in a recent analysis conducted by the cybersecurity firm Wordfence, known for its expertise in monitoring and securing WordPress sites. This flaw scores a staggering 9.8 on the Common Vulnerability Scoring System (CVSS), indicating its severity. It impacts every version of the Everest Forms Pro plugin up to and including version 1.9.12. WPEverest, the developer behind this commercial form builder plugin, boasts around 4,000 active installations, making the potential impact of this vulnerability quite substantial.
The root of the flaw lies within the plugin’s Calculation add-on, which processes form calculation formulas through PHP’s eval() function. The way data is handled presents an opening for attackers: submitted field values are appended to the PHP string prior to execution. A crucial oversight in this process is the failure to properly sanitize single quotes with the sanitize_text_field() function. This gap allows an attacker to manipulate the value entries, escaping the surrounding string and thereby injecting arbitrary PHP code that gets executed by the eval() function.
The vulnerabilities are particularly prevalent for forms that utilize the "Complex Calculation" feature. In these instances, any text, email, URL, select, or radio field can serve as an entry point for attackers seeking to exploit this weakness. If successful, these attacks can lead to the creation of unauthorized administrator accounts, uploading of webshells, and further breaches into the affected systems.
According to Wordfence, the first recorded exploitation of this vulnerability began on April 13, 2026—approximately two weeks after its public disclosure. The primary objective of these attacks appears to be the registration of rogue administrator accounts, with the name "diksimarina" notably cited in Wordfence telemetry as a frequent target.
In the weeks following the initial findings, the cybersecurity firm reported that it has thwarted over 29,300 attempts to exploit the vulnerability using its firewall. A particularly alarming spike occurred on May 16, when over 17,900 exploit attempts were recorded in just one day. This incident indicates a coordinated effort by attackers to target vulnerable sites, highlighting the urgency for website administrators to take immediate action.
For those managing WordPress sites that rely on the Everest Forms Pro plugin, it is essential to review site logs for specific indicators of compromise. Administrators should be wary of any unauthorized accounts with the username "diksimarina" and emails connected to that name, including "diksimarina@gmail.com." Additionally, scrutinizing incoming requests from the IP address 202.56.2.126—which is responsible for over 26,300 blocked attacks—should be a priority for those wishing to safeguard their sites from further exploitation.
The recurrence of vulnerabilities allowing attackers administrative access remains a pivotal concern for WordPress operators. The ramifications of such flaws can be detrimental, not only causing direct harm to the affected websites but also potentially compromising user data and disrupting business operations.
WPEverest has responded to this significant vulnerability by releasing patched software in version 1.9.13. However, it is critical that any site running earlier versions is updated promptly to mitigate exposure to attacks. Such proactive measures are vital in fortifying defenses against the rising tide of cyber threats.
As the cybersecurity landscape continues to evolve, vigilance and timely updates will be paramount for website administrators who wish to keep their platforms secure and resilient against attacks. This incident serves as a stark reminder of the vulnerabilities inherent in digital ecosystems and the importance of securing every layer of online operations.