Critical Everest Forms Pro flaw exploited to take over WordPress sites

Hackers are actively exploiting a critical vulnerability in the Everest Forms Pro plugin, which allows them to take complete control of WordPress websites. The security issue (CVE-2026-3300) affects versions 1.9.12 and earlier of the plugin and can be leveraged without authentication to execute arbitrary code on the server.

Everest Forms Pro is a commercial add-on for the WordPress form builder plugin Everest Forms. It is used to create contact, registration, payment, and other custom application forms on thousands of WordPress websites worldwide.

The vulnerability exists in the plugin's Complex Calculation feature, which accepts values submitted through form fields and inserts them into a PHP code string. It then executes the resulting code using PHP's 'eval()' function. Although user input is passed through a 'sanitize_text_field()' function, this does not escape single quotes (') or other characters that influence PHP syntax.

According to security researchers at Wordfence, this oversight allows attackers to close the intended string, inject arbitrary PHP code, and comment out the remaining generated code to achieve code execution on the server.

"The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina'," explains a report from Wordfence. "The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error."

When the form is processed and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created. Administrator-level access gives attackers full power to perform high-risk actions on the breached website, including modifying content, installing plugins and themes, planting backdoors and webshells, and accessing private databases.

The vulnerability was discovered by researcher h0xilo, who submitted it through Wordfence in February. On March 18, 2026, the Everest Forms developer released a patch that addresses the issue. However, active exploitation began on April 13, with Wordfence blocking over 29,300 attempts to date.

Wordfence telemetry data shows that exploitation attempts originate primarily from two IP addresses, 202.56.2[.]126 and 209.146.60.26. The security firm recommends defenders block these addresses and provides several offending IP addresses as indicators of compromise (IOCs).

Website administrators should take immediate action to protect their sites:

1. Update Everest Forms Pro to the latest version (1.9.13 or higher) as soon as possible
2. Check administrator accounts for any suspicious usernames, particularly "diksimarina"
3. Review log files for unusual activity, especially form submissions with single quotes
4. Implement strong password policies and two-factor authentication for all administrator accounts
5. Regularly audit installed plugins and themes for known vulnerabilities
6. Use security plugins like Wordfence or Sucuri to detect and block malicious activity
7. Consider implementing file integrity monitoring to detect unauthorized changes

To determine if a site has been compromised, administrators should:

• Check the users list for unauthorized administrator accounts
• Review recent plugin and theme installations
• Scan for backdoors in core WordPress files and plugin directories
• Check for unusual database entries or modifications
• Monitor for suspicious outbound connections or data exfiltration

The exploitation of this vulnerability highlights the ongoing risks associated with using plugins that handle user input insecurely. The use of PHP's eval() function with insufficient input sanitization continues to be a common security issue in WordPress plugins.

For more information about the vulnerability and protection measures, website administrators can refer to the official Everest Forms security announcement and the detailed Wordfence analysis.

This incident serves as a reminder for WordPress site owners to maintain regular updates, monitor security advisories, and implement robust security practices to protect against evolving threats in the WordPress ecosystem.