Hackers Exploit Critical Everest Forms Pro RCE Flaw to Hijack WordPress Sites

Threat actors are actively weaponizing a critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin, putting an estimated 4,000 active installations at risk of complete site takeover. Tracked as CVE-2026-3300 and carrying a maximum CVSS score of 9.8, the flaw resides in the plugin's Calculation Addon, where the process_filter() function concatenates user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input fails to escape single quotes and other PHP code context characters, enabling unauthenticated attackers to inject arbitrary PHP code via any string-type form field (text, email, URL, select, or radio) on forms using the "Complex Calculation" feature.

A patch was shipped on March 18, 2026, in version 1.9.13, yet attackers began exploiting the defect in the wild as early as April 13, 2026. According to Wordfence, more than 29,300 exploit attempts have been blocked to date, with 16 attempts recorded in the 24 hours preceding disclosure. The most prevalent payload attempts to create a rogue administrator account named "diksimarina" tied to the email address diksimarina@gmail.com. Attack traffic has been traced to several IP addresses, including 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153. Site administrators can audit suspicious inbound connections with a port scanner and validate the ownership of these hosts via a WHOIS lookup to identify potentially malicious infrastructure. Any administrator account matching the diksimarina pattern should be considered compromised and removed immediately; affected operators should also run an email breach checker on associated addresses to assess broader credential exposure.

Successful exploitation grants attackers the ability to create rogue administrator accounts, deploy web shells, and establish persistent footholds deep within the server environment. The disclosure coincides with a separate warning from Sansec detailing skimmer campaigns that abuse Stripe as a command-and-control server and data exfiltration sink. By leveraging Google Tag Manager and Stripe domains (googletagmanager.com and api.stripe.com)—both implicitly trusted by online stores—attackers load malicious code from a GTM container and execute it on every page load. On Magento and Adobe Commerce checkout pages, the campaign extracts an obfuscated skimmer from a Stripe customer account's metadata field and exfiltrates stolen financial data, effectively treating Stripe as free, reputable infrastructure to bypass Content Security Policy rules and network filters.