Blog Details

Hackers are actively exploiting a severe vulnerability (CVE-2026-3300) in the Everest Forms Skilled plugin, which permits them to lift total management of a WordPress site.

The safety reveal affects variations 1.9.12 and earlier of the plugin and is also leveraged without authentication to abet out arbitrary code on the server.

Everest Forms Skilled is a commercial add-on for the WordPress originate builder plugin Everest Forms. It is outdated to make contact, registration, payment, and diversified custom utility kinds.

The CVE-2026-3300 vulnerability is in the plugin’s Advanced Calculation feature, which accepts values submitted through originate fields and inserts them into a PHP code string. Then, it executes the resulting code the recount of PHP’s ‘eval ()’ feature.

Though person enter is handed through a ‘sanitize_text_field()’ feature, which doesn’t ruin out single quotes (‘) or diversified characters that impact PHP syntax.

As a result, an attacker can shut the intended string, inject arbitrary PHP code, and commentary out the last generated code to make code execution on the server.

Telemetry knowledge from Wordfence firewall and malware scanner for WordPress reveals that the vulnerability is being exploited in the wild to make rogue administrator accounts.

“The attacker submits a cost for a text area that begins with a single quote to shut the wrapping string literal, adopted by a PHP assertion that calls wp_insert_user() to make a sleek administrator fable with the username ‘diksimarina’,” explains a document from Wordfence.

“The trailing // commentary marker ensures the remaining of the generated PHP code, including the closing quote, is handled as a commentary and doesn’t location off a syntax error.”

“When the originate is processed, and the calculation is evaluated, the injected PHP code is accomplished, and the malicious administrator fable is created.”

Administrator-level get entry to offers attackers paunchy strength to originate excessive-possibility actions on the breached site, including improving protest, installing plugins and topics, planting backdoors and webshells, and having access to non-public databases.

Researcher h0xilo submitted the CVE-2026-3300 vulnerability through Wordfence in February, and on March 18, the Everest Forms developer launched a patch that addresses the reveal.

In accordance with Wordfence knowledge, stuffed with life exploitation started on April 13, with the firewall blocking over 29,300 makes an attempt.

Wordfence says exploitation makes an attempt make primarily from two IP addresses, 202.56.2[.]126 and 209.146.60.26, and recommends defenders block them.

However, Wordfence’s document offers several offending IP addresses as indicators of compromise (IOCs).

Web plan directors are furthermore urged to overview log files and administrator accounts for any suspicious recount, specifically containing the string “diksimarina.”