Everest Forms Pro Vulnerability Allows Remote Code Execution

A critical vulnerability in the Everest Forms Pro plugin for WordPress has been actively exploited to hijack vulnerable websites.

According to new analysis from WordPress security firm Wordfence, the remote code execution flaw lets unauthenticated attackers run PHP on a target server and take over the site.

Tracked as CVE-2026-3300, the bug scores 9.8 on the CVSS scale and affects every release up to and including 1.9.12. Everest Forms Pro is a commercial form builder from developer WPEverest, with roughly 4000 active installations.

The flaw was reported to Wordfence’s bug bounty program by a researcher using the handle h0xilo.

WPEverest patched the flaw in version 1.9.13. Any site on an earlier build remains exposed, and administrators have been urged to update without delay.

Read more on WordPress plugin attacks: Major WordPress Plugin Flaw Exploited in Under 4 Hours

Single Quotes Slip Past Sanitization

At the core of the bug is the WordPress plugin’s Calculation add-on, which runs a form’s calculation formula through PHP’s eval() function.

Submitted field values are concatenated into that PHP string before it runs, and sanitize_text_field() does not escape single quotes. An attacker can open a value with a quote, break out of the wrapping string and inject PHP that eval() then executes.

Only forms that switch on the “Complex Calculation” feature are exposed to the PHP code injection. On those, any text, email, URL, select or radio field can serve as the entry point.

From there, a successful attack can create rogue administrator accounts, plant webshells and open further footholds.

Rogue Admin Accounts and Blocked Attacks

Wordfence telemetry shows the attacks began on April 13, 2026, about two weeks after public disclosure. Its leading payload tried to register an administrator account named “diksimarina.”

In total, the firm said its firewall has blocked more than 29,300 exploit attempts. A surge on May 16 accounted for over 17,900 of them in a single day.

Defenders reviewing their logs should watch for the following indicators:

Administrator account using the name “diksimarina”
The email address diksimarina@gmail.com
Requests from 202.56.2.126, the source of more than 26,300 blocked attempts

Flaws that hand attackers administrator access have become a recurring problem for WordPress operators.

Source

What's Hot

AI Adoption Creates New Opportunities for Attackers

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

Everest Forms Pro Vulnerability Allows Remote Code Execution

AI Adoption Creates New Opportunities for Attackers

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

Why SOC Burnout Can Be Avoided: Practical Steps

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

Our Picks

Scams target soccer fans with fake World Cup tickets, merchandise

What if your romantic AI chatbot can’t keep a secret?

What it is and how to protect yourself

Subscribe to Updates

What's Hot

Everest Forms Pro Vulnerability Allows Remote Code Execution

Single Quotes Slip Past Sanitization

Rogue Admin Accounts and Blocked Attacks

Related Posts

Subscribe to Updates