Hackers are currently exploiting a severe vulnerability in the Everest Forms Pro WordPress plugin, identified as CVE-2026-3300. This flaw, which has a critical CVSS score of 9.8, allows attackers to inject and execute arbitrary PHP code remotely on affected websites.
Details of the Exploitation
The vulnerability impacts all plugin versions up to 1.9.12. Even after a patch was released on March 18, 2026, exploitation campaigns began targeting unpatched systems on April 13, 2026. According to Wordfence, there have been over 29,300 blocked exploitation attempts, with a significant surge on May 16, recording more than 17,900 attacks.
The core issue lies within the plugin’s ‘Complex Calculation’ feature, specifically in the process_filter() function. This function constructs PHP code dynamically from user inputs and uses the risky eval() function without properly escaping critical characters, allowing code injection through form fields.
Observed Attack Patterns
Attackers have been utilizing this vulnerability to create unauthorized administrator accounts, commonly using the username ‘diksimarina.’ Once they gain admin access, they can upload malicious files, modify content, or further compromise the server environment.
Security data has identified several IP addresses involved in these exploits, generating thousands of malicious requests. Notable malicious IPs include 202.56.2[.]126 and 209.146.60[.]26, among others. These attacks primarily target the /wp-admin/admin-ajax.php endpoint with specially crafted POST requests.
Mitigation and Recommendations
This vulnerability poses a significant risk due to its ability to be exploited without authentication. Websites using Everest Forms Pro, particularly with the Complex Calculation feature active, are highly exposed. Wordfence users received early protection, but applying the official patch by updating to version 1.9.13 remains essential.
Administrators should update the plugin immediately, check for unauthorized admin accounts, and review server logs for suspicious activity. Indicators of compromise include new unknown admin users and requests from known malicious IPs.
Given the active exploitation and ease of attack, this vulnerability is a substantial threat to WordPress sites, underscoring the importance of timely updates and continuous monitoring.
Stay informed by following us on Google News, LinkedIn, and X for more updates.
