Full Report
Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Everest Forms Pro
## CVE Details
- **CVE ID:** CVE-2026-3300
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-94 (Improper Control of Generation of Code - 'Code Injection') / CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code - 'Eval Injection')
## Affected Systems
- **Products:** Everest Forms Pro (WordPress Plugin)
- **Versions:** All versions up to, and including, 1.9.12.
- **Configurations:** Forms utilizing the "Complex Calculation" feature via the Calculation Addon.
## Vulnerability Description
The flaw resides in the Calculation Addon's `process_filter()` function. The plugin concatenates user-submitted form field values into a PHP code string which is subsequently passed to the `eval()` function. While the plugin uses `sanitize_text_field()` on input, this function does not escape single quotes or other characters essential to PHP code context. This lack of proper escaping allows an unauthenticated attacker to inject arbitrary PHP code by submitting crafted values in any string-type form field (e.g., text, email, URL, select, radio).
## Exploitation
- **Status:** Exploited in the wild (Actively exploited since April 13, 2026).
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to site data and database)
- **Integrity:** High (Ability to create rogue admin accounts and modify site content)
- **Availability:** High (Potential for complete site takeover or deletion)
## Remediation
### Patches
- **Version 1.9.13:** Released on March 18, 2026. Users must update to this version or later immediately.
### Workarounds
- **Disable Calculations:** Temporarily disable the "Complex Calculation" feature if the plugin cannot be updated immediately.
- **Restrict Access:** Implement a Web Application Firewall (WAF) to block suspicious PHP injection patterns in form submissions.
## Detection
### Indicators of Compromise (IoCs)
- **Rogue Admin Account:** Existence of an administrator account named `diksimarina` with the email `diksimarina@gmail[.]com`.
- **Malicious IP Addresses:**
- `202.56.2.126`
- `209.146.60.26`
- `15.235.166.18`
- `2402:1f00:8000:800::40db`
- `185.78.165.153`
### Detection Methods and Tools
- **Log Analysis:** Review WordPress access logs for POST requests to forms containing PHP syntax (e.g., `system()`, `eval()`, `base64_decode()`).
- **Security Scanners:** Use tools like Wordfence or Sucuri to scan for unauthorized file changes or new administrator accounts.
## References
- **Vendor Advisory (Wordfence):** hxxps://www[.]wordfence[.]com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/
- **Vulnerability Database:** hxxps://www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-plugins/everest-forms-pro/everest-forms-pro-1912-unauthenticated-remote-code-execution-via-calculation-field
- **News Report:** hxxps://thehackernews[.]com/2026/06/hackers-exploit-critical-everest-forms.html