Critical RCE Vulnerability in Everest Forms Pro Plugin Exploited in the Wild
Hackers are actively exploiting a severe remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, tracked as CVE-2026-3300 (CVSS 9.8). The flaw, affecting all versions up to 1.9.12, allows unauthenticated attackers to execute arbitrary PHP code on vulnerable websites by manipulating form inputs.
The vulnerability stems from the plugin’s "Complex Calculation" feature, where the process_filter() function dynamically constructs and evaluates PHP code using eval(). Despite input sanitization via sanitize_text_field(), the function fails to escape single quotes, enabling attackers to inject malicious payloads through standard form fields (text, email, URL, select, radio). By appending a single quote followed by arbitrary PHP code, threat actors can bypass security controls and gain server-side execution.
Publicly disclosed on March 30, 2026, after a patch was released on March 18, 2026, the flaw saw active exploitation beginning April 13, 2026. Wordfence reported blocking over 29,300 exploitation attempts, with a sharp spike of 17,900 attacks on May 16 alone. Attackers primarily exploit the /wp-admin/admin-ajax.php endpoint via crafted POST requests, targeting websites with the Complex Calculation feature enabled.
Observed attack patterns include the creation of rogue administrator accounts, such as the username "diksimarina", using WordPress’s wp_insert_user() function. Once administrative access is obtained, attackers deploy webshells, backdoors, or further compromise the hosting environment. Multiple malicious IPs have been identified, including:
- 202.56.2[.]126 (tens of thousands of blocked requests)
- 209.146.60[.]26 (thousands of exploit attempts)
- 15.235.166[.]18 (hundreds of malicious requests)
- 2402:1f00:8000[:]800::40db (IPv6-based attacks)
- 185.78.165[.]153 (hostile scanning activity)
While Wordfence provided early protection via firewall rules (February 27 for paid users, March 29 for free users), full mitigation requires updating to version 1.9.13. Indicators of compromise include unauthorized admin accounts and suspicious requests from known malicious IPs. The low barrier to exploitation and active campaign make this a high-impact threat to WordPress environments.
Source: https://cybersecuritynews.com/wordpress-plugin-vulnerability-exploit/
ThemeGrill cybersecurity rating report: https://www.rankiteo.com/company/themegrillofficial
"id": "THE1780575910",
"linkid": "themegrillofficial",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Web Development, Content Management '
'Systems',
'location': 'Global',
'name': 'Everest Forms Pro Plugin Users',
'type': 'Software/Plugin'}],
'attack_vector': 'Unauthenticated form input manipulation via '
'/wp-admin/admin-ajax.php',
'date_detected': '2026-04-13',
'date_publicly_disclosed': '2026-03-30',
'description': 'Hackers are actively exploiting a severe remote code '
'execution (RCE) vulnerability in the Everest Forms Pro '
'WordPress plugin (CVE-2026-3300, CVSS 9.8). The flaw allows '
'unauthenticated attackers to execute arbitrary PHP code on '
'vulnerable websites by manipulating form inputs through the '
"plugin’s 'Complex Calculation' feature.",
'impact': {'operational_impact': 'Unauthorized administrative access, '
'webshell deployment, backdoor installation',
'systems_affected': 'WordPress websites using Everest Forms Pro '
'plugin (versions ≤ 1.9.12)'},
'initial_access_broker': {'backdoors_established': 'Unauthorized admin '
'accounts, webshells'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Low barrier to exploitation due to insufficient input '
'sanitization in dynamic code evaluation. Importance of '
'timely patching and WAF protection for WordPress plugins.',
'post_incident_analysis': {'corrective_actions': 'Patch released (version '
'1.9.13), improved input '
'validation, and escaping in '
'dynamic code evaluation.',
'root_causes': 'Insufficient input sanitization in '
"the 'Complex Calculation' feature, "
'allowing arbitrary PHP code '
'injection via single quotes.'},
'recommendations': ['Update Everest Forms Pro to version 1.9.13 or later',
"Remove unauthorized admin accounts (e.g., 'diksimarina')",
'Scan for webshells and backdoors',
'Monitor and block malicious IPs associated with the '
'attack',
'Enable Wordfence or similar firewall protection'],
'references': [{'source': 'Wordfence'}],
'response': {'containment_measures': 'Firewall rules blocking malicious IPs, '
'plugin update to version 1.9.13',
'enhanced_monitoring': 'Wordfence attack blocking and monitoring',
'remediation_measures': 'Patch to version 1.9.13, removal of '
'unauthorized admin accounts, webshell '
'cleanup',
'third_party_assistance': 'Wordfence (firewall protection)'},
'title': 'Critical RCE Vulnerability in Everest Forms Pro Plugin Exploited in '
'the Wild',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-3300 (CVSS 9.8)'}