Full Report
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. [...]
Analysis Summary
# Vulnerability: Arbitrary PHP Code Injection in Everest Forms Pro
## CVE Details
- **CVE ID:** CVE-2026-3300
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code / Code Injection)
## Affected Systems
- **Products:** Everest Forms Pro (Premium add-on for Everest Forms)
- **Versions:** 1.9.12 and earlier
- **Configurations:** Systems utilizing the "Complex Calculation" feature.
## Vulnerability Description
The vulnerability exists within the plugin's Complex Calculation feature, which processes user-submitted form field values into a PHP code string before executing them via the `eval()` function. While the inputs undergo `sanitize_text_field()` processing, this function fails to escape single quotes (') or other characters that impact PHP syntax. An attacker can provide a specially crafted input that closes the intended string literal, injects malicious PHP statements, and uses comment markers to neutralize the remaining code, leading to Remote Code Execution (RCE).
## Exploitation
- **Status:** Actively exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to databases and private data)
- **Integrity:** High (Ability to modify content, add backdoors, and create admin accounts)
- **Availability:** High (Potential for site takeover or deletion)
## Remediation
### Patches
- **Update to Everest Forms Pro version 1.9.13 or later.** The developer released this patch on March 18, 2026.
### Workarounds
- **Disable Complex Calculations:** If patching is not immediately possible, disable forms utilizing the Complex Calculation feature.
- **IP Blocking:** Revoke access from known malicious IP addresses (see Detection section).
## Detection
### Indicators of Compromise
- **Malicious IP Addresses:**
- 202.56.2[.]126
- 209.146.60[.]26
- **Suspicious Accounts:** Presence of a rogue administrator account with the username **"diksimarina"**.
- **Log Strings:** Search web server and database logs for entries containing "wp_insert_user" or "diksimarina".
### Detection Methods and Tools
- **Log Analysis:** Review WordPress audit logs for unauthorized administrative user creation.
- **Security Scanning:** Use security plugins (such as Wordfence) to scan for unauthorized file changes or new administrator accounts.
## References
- Wordfence Blog: hxxps[://]www[.]wordfence[.]com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
- BleepingComputer Advisory: hxxps[://]www[.]bleepingcomputer[.]com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/