Critical Everest Forms Pro Vulnerability Exploited to Compromise WordPress Sites

Hackers are actively exploiting a critical vulnerability in the Everest Forms Pro WordPress plugin that can allow unauthenticated attackers to execute arbitrary code and take full control of affected websites.

The flaw, tracked as CVE-2026-3300, affects Everest Forms Pro versions 1.9.12 and earlier. Successful exploitation can give attackers server-level code execution, allowing them to create unauthorized administrator accounts, modify website content, install malicious plugins or themes, deploy backdoors, and access sensitive site data.

Everest Forms Pro is a commercial extension for the Everest Forms WordPress form builder. It is commonly used to create contact forms, registration forms, payment forms, and other custom application forms.

The vulnerability exists in the plugin’s Complex Calculation feature. This feature processes values submitted through form fields and inserts them into a PHP code string, which is then executed using PHP’s eval() function.

Although the submitted input is passed through WordPress’ sanitize_text_field() function, that function does not safely escape all characters that can affect PHP syntax, including single quotes. As a result, an attacker can submit crafted input that breaks out of the intended string, injects malicious PHP code, and comments out the rest of the generated code to avoid syntax errors.

According to Wordfence telemetry, attackers are exploiting the vulnerability in the wild to create rogue WordPress administrator accounts. In observed attacks, malicious form submissions attempted to execute PHP code that calls wp_insert_user() to create a new administrator account using the username “diksimarina.”

Once an attacker gains administrator access, they can fully control the WordPress site. This includes changing content, uploading malicious files, installing persistence mechanisms, adding webshells, redirecting visitors, stealing data, or using the compromised site for further attacks.

The vulnerability was reported to Wordfence by researcher h0xilo in February. A patch was released by the Everest Forms developer on March 18, addressing the insecure handling of calculation inputs.

Wordfence reports that active exploitation began on April 13, with its firewall blocking more than 29,300 exploit attempts. The company says much of the activity originated from the IP addresses 202.56.2[.]126 and 209.146.60.26, though additional indicators of compromise were also published.

Website administrators using Everest Forms Pro should immediately update to the latest available version. Administrators should also review user accounts for unauthorized administrators, inspect server and access logs for suspicious form submissions, and search for indicators such as the username “diksimarina.”

Because this vulnerability can lead to full site takeover, affected sites should be treated as potentially compromised if they were running a vulnerable version during the exploitation window.