Hackers are actively exploiting a critical security flaw in the Everest Forms Pro WordPress plugin that can allow them to take full control of vulnerable websites.
The vulnerability, tracked as CVE-2026-3300, affects Everest Forms Pro version 1.9.12 and earlier, and attackers can exploit it without logging in.
Everest Forms Pro is a paid add-on for the Everest Forms plugin, which is used to create contact forms, registration forms, payment forms, and other custom forms on WordPress sites. The flaw exists in the plugin’s Complex Calculation feature, which takes values submitted through form fields and places them inside a PHP code string before running it with PHP’s eval() function.
Although the plugin uses sanitize_text_field() to clean user input, Wordfence says the function does not properly escape single quotes and other characters that can affect PHP syntax. Because of this, attackers can break out of the intended code structure, inject their own PHP commands, and comment out the remaining code to avoid errors.
According to Wordfence, attackers are using the flaw to create unauthorized administrator accounts on targeted WordPress websites. In one observed attack, the submitted form value starts with a single quote to close the existing string, followed by PHP code that calls wp_insert_user() to create a new administrator account with the username “diksimarina.” The rest of the generated PHP code is then commented out so the malicious code can run without causing a syntax error.
Once attackers gain administrator access, they can make dangerous changes to the compromised website. This includes editing site content, installing malicious plugins or themes, adding backdoors and webshells, and accessing private database information.
The vulnerability was reported to Wordfence by researcher h0xilo in February. The developer of Everest Forms released a patch on March 18 to fix the issue. However, Wordfence says active exploitation began on April 13, and its firewall has blocked more than 29,300 attack attempts so far.
Wordfence says many attacks have come from the IP addresses 202.56.2[.]126 and 209.146.60.26, and it recommends that website owners block them. The company has also shared additional offending IP addresses as indicators of compromise.
Website administrators using Everest Forms Pro should update the plugin immediately if they have not already done so. They should also review server logs and administrator accounts for suspicious activity, especially anything related to the username “diksimarina.”
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
