Critical Everest Forms Pro flaw exploited to take over WordPress sites
A critical vulnerability (CVE-2026-3300) in Everest Forms Pro for WordPress is being exploited to gain full control of sites, affecting versions up to 1.9.12 and enabling unauthenticated remote code execution via the Complex Calculation feature. A patch was released on March 18, 2026, but exploitation began by April 13, with attackers creating rogue administrator accounts (notably using the username 'diksimarina'). Wordfence blocked thousands of attempts; defenders should block known bad IPs (202.56.2.126 and 209.146.60.26), review logs, and scan for suspicious admin accounts.
CRITICAL EVEREST FORMS PRO FLAW EXPLOITED TO TAKE OVER WORDPRESS SITES
OverviewA critical vulnerability, CVE-2026-3300, in the Everest Forms Pro plugin enables attackers to gain full control of a WordPress site. The flaw affects versions 1.9.12 and earlier and can be exploited without authentication to execute arbitrary code on the server. Everest Forms Pro is a commercial add-on for the WordPress form builder Everest Forms, used to create a variety of forms including contact, registration, and payment forms. The weakness lies in the Complex Calculation feature, where values from form fields are inserted into a PHP code string and then executed via PHP’s eval() function. Although user input is filtered through sanitizetextfield(), this function does not escape single quotes or other characters that influence PHP syntax, permitting code injection.
Technical Details
- The vulnerability arises when user-provided input is embedded in a PHP code string that is later fed to eval().
- sanitizetextfield() does not escape single quotes ('), allowing an attacker to manipulate the surrounding PHP syntax.
- An attacker can terminate the intended string literal by injecting a leading single quote, then insert arbitrary PHP code, and terminate with a // comment to neutralize the remainder of the generated code.
- Successful exploitation results in code execution on the server, enabling the attacker to perform actions as the webserver user, including creating administrator accounts.
Exploitation and Impact
- Privilege escalation to administrator enables full control over the WordPress site: content modification, installation of plugins and themes, backdoors or web shells, and access to private databases.
- The attack chain occurs during form submission processing, where the calculated value is evaluated and the injected PHP executes with the site’s privileges.
- Early indicators point to the creation of rogue administrator accounts as a common objective of exploitation campaigns.
Exploitation Volume
- Telemetry from Wordfence firewall and malware scanner shows exploitation activity beginning in mid-April.
- Wordfence data indicates the firewall blocked more than 29,300 exploitation attempts within the observed timeframe.
- Initial exploitation signals originate from two notable IP addresses: 202.56.2.126 and 209.146.60.26, with additional IOCs reported by security researchers.
Timeline
- February: A researcher (h0xilo) submitted the CVE-2026-3300 vulnerability through Wordfence.
- March 18: Everest Forms (the plugin author) released a patch addressing the issue.
- April 13: Active exploitation campaigns began, with a surge in detected attempts and firewall blocks.
Indicators of Compromise
- Suspicious administrator activity: rogue accounts and unexpected administrative privileges appearing in user lists.
- Log entries showing form processing sequences that include injected PHP code and the use of eval().
- Known IOCs including the IP addresses 202.56.2.126 and 209.146.60.26.
- A recurring pattern in usernames associated with exploitation attempts (e.g., “diksimarina”) used in some attack narratives.
Related Articles
- Critical Kirki flaw exploited to hijack WordPress admin accounts
- WP Maps Pro bug exploited to create admin accounts on WordPress sites
- Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
- Hackers exploit file upload bug in Breeze Cache WordPress plugin
- Hackers exploit critical flaw in Ninja Forms WordPress plugin
ConclusionThe CVE-2026-3300 incident highlights the ongoing risk associated with evaluating and executing user-submitted content within complex form-processing features. The combination of insufficient input sanitization for syntax-sensitive characters and the use of eval() creates a potent vector for remote code execution and privilege escalation. Patches were released, and exploitation activity has been observed in the wild, reinforcing the need for vigilant monitoring of administrator accounts, form submission activity, and network indicators tied to exploitation campaigns.
