A critical remote code execution flaw in Everest Forms Pro (CVE-2026-3300) is being actively exploited to take over WordPress sites. The issue affects versions up to and including 1.9.12 and is patched in 1.9.13, according to Wordfence and reporting by BleepingComputer. Wordfence rates the bug Critical (CVSS 9.8) and says exploitation began in mid-April, with more than 29,000 exploit attempts blocked by its firewall to date.
Why it matters: this is an unauthenticated attack path that can lead to complete site compromise. Everest Forms Pro is a commercial add-on used to build contact, registration, and payment forms, with Wordfence estimating roughly 4,000 active installations.
What’s vulnerable and how attacks work
Both sources attribute the vulnerability to the plugin’s Complex Calculation capability. When a form uses this feature, submitted field values are concatenated into a PHP code string and executed with eval(). Although the values are passed through sanitize_text_field(), that function does not escape single quotes or other syntax that affects PHP parsing. An attacker can supply crafted input that breaks out of the intended string, injects arbitrary PHP code, and comments out the remainder so the payload executes cleanly.
Wordfence telemetry shows attackers using this vector to create rogue administrator accounts. The most common case observed attempts to add an admin user named “diksimarina” (email: diksimarina@gmail.com) by invoking WordPress’s user-creation function during form processing. With administrator access, a threat actor can modify content, install plugins or themes, and deploy backdoors or webshells.
Not every installation is equally exposed: exploitation requires at least one form on the site to use the Complex Calculation feature.
What we know about in-the-wild activity
Wordfence reports active exploitation started on April 13, 2026, and has blocked more than 29,300 attempts so far. Their data highlights multiple offending IPs, with the bulk of activity attributed to 202.56.2.126 and 209.146.60.26, among others. BleepingComputer cites the same behavior and recommends reviewing administrator accounts and logs for indicators tied to these attacks.
All timelines, exploit volume, and IP indicators above come from Wordfence’s observations and may evolve.
What site owners should do now
Based on the available evidence from Wordfence and BleepingComputer:
- Update Everest Forms Pro to version 1.9.13 (the patched release) as soon as possible.
- Audit WordPress users for unexpected administrator accounts, especially a username “diksimarina” or the email “diksimarina@gmail.com”.
- Review access and web server logs for requests from IPs observed in attacks, notably 202.56.2.126 and 209.146.60.26, and the additional IPs listed by Wordfence: 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153.
- Check whether any of your forms use Everest Forms Pro’s “Complex Calculation” feature. Sites not using that feature are less likely to be exploitable via this specific bug.
If you find evidence of a rogue administrator account or suspicious requests aligned with these indicators, treat the site as potentially compromised and follow your established incident response process.
Caveats and open questions
- The attack volume, top offending IP addresses, and the “diksimarina” indicator are reported by Wordfence and may change as campaigns shift.
- Public sources do not enumerate how many compromise attempts have succeeded, only that exploitation is ongoing and widespread.
- The vulnerability is tied to the Complex Calculation feature; environments that do not use it may be less exposed, but updating remains the safest path.
Bottom line
CVE-2026-3300 is a critical, unauthenticated RCE in Everest Forms Pro that attackers are actively abusing to create administrator users. A vendor patch is available in 1.9.13. Prioritize updating, audit your admin accounts, and check logs for the indicators listed above.
Sources: Wordfence advisory and attack data, and coverage by BleepingComputer.
- Wordfence: https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
- BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
