Critical Everest Forms Pro Flaw Actively Exploited to Hijack WordPress Sites

Hackers are actively exploiting a critical unauthenticated remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin to seize full control of vulnerable websites. Tracked as CVE-2026-3300, the flaw impacts all versions up to and including 1.9.12 and is now being weaponized at scale, with Wordfence reporting more than 29,300 blocked exploitation attempts since April 13. Everest Forms Pro is a commercial extension for the popular Everest Forms builder, commonly used for contact, registration, and payment workflows, making the attack surface particularly broad across the WordPress ecosystem.

The vulnerability resides in the plugin's Complex Calculation feature, which dynamically evaluates user-submitted form values as PHP code using the eval() function. Although input is sanitized through sanitize_text_field(), that function does not escape single quotes or other PHP-significant characters. An attacker can therefore close the intended string literal, inject an arbitrary PHP statement, and append a double-slash comment to suppress the trailing syntax, achieving clean code execution. In observed attacks, threat actors inject a call to wp_insert_user() that creates a rogue administrator account under the username "diksimarina," granting them unrestricted access to the compromised site, including the ability to upload backdoors, modify content, and pivot to the underlying database.

The flaw was responsibly disclosed by researcher h0xilo through Wordfence in February, and Everest Forms shipped a patch on March 18. Wordfence telemetry attributes the bulk of exploitation traffic to two IP addresses, 202.56.2[.]126 and 209.146.60.26, which defenders should block immediately; additional indicators of compromise (IOCs) are listed in the original advisory. Site owners are urged to update to the latest patched version, audit their administrator accounts for any unfamiliar users (especially "diksimarina"), and review server logs for suspicious POST activity targeting form submissions. Administrators can use a WHOIS lookup to investigate suspicious source IPs and a port scanner to confirm no rogue services were spun up after a suspected breach, while a privacy checkup can help ensure leftover admin sessions and exposed panels are properly hardened.