Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites

3 hours ago 4
Emergency Loans for business funding and personal get updated jobs at bestpiecejob.co.za Work From Home - Earn Something By Just Working At Home

A critical vulnerability in the Everest Forms Pro plugin for WordPress has been actively exploited to hijack vulnerable websites.

According to new analysis from WordPress security firm Wordfence, the remote code execution flaw lets unauthenticated attackers run PHP on a target server and take over the site.

Tracked as CVE-2026-3300, the bug scores 9.8 on the CVSS scale and affects every release up to and including 1.9.12. Everest Forms Pro is a commercial form builder from developer WPEverest, with roughly 4000 active installations.

The flaw was reported to Wordfence's bug bounty program by a researcher using the handle h0xilo.

WPEverest patched the flaw in version 1.9.13. Any site on an earlier build remains exposed, and administrators have been urged to update without delay.

Read more on WordPress plugin attacks: Major WordPress Plugin Flaw Exploited in Under 4 Hours

Single Quotes Slip Past Sanitization

At the core of the bug is the WordPress plugin's Calculation add-on, which runs a form's calculation formula through PHP's eval() function.

Submitted field values are concatenated into that PHP string before it runs, and sanitize_text_field() does not escape single quotes. An attacker can open a value with a quote, break out of the wrapping string and inject PHP that eval() then executes.

Only forms that switch on the "Complex Calculation" feature are exposed to the PHP code injection. On those, any text, email, URL, select or radio field can serve as the entry point.

From there, a successful attack can create rogue administrator accounts, plant webshells and open further footholds.

Rogue Admin Accounts and Blocked Attacks

Wordfence telemetry shows the attacks began on April 13, 2026, about two weeks after public disclosure. Its leading payload tried to register an administrator account named "diksimarina."

In total, the firm said its firewall has blocked more than 29,300 exploit attempts. A surge on May 16 accounted for over 17,900 of them in a single day.

Defenders reviewing their logs should watch for the following indicators:

  • Administrator account using the name "diksimarina"

  • The email address diksimarina@gmail.com

  • Requests from 202.56.2.126, the source of more than 26,300 blocked attempts

Flaws that hand attackers administrator access have become a recurring problem for WordPress operators.

Read Entire Article
  1. Homepage
  2. Tenders
  3. Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites

Related

Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code G...

2 hours ago 0
HTTP/2’s speed abused to slow webserver performance in DoS attack

HTTP/2’s speed abused to slow webserver performance in DoS a...

2 hours ago 3
OpenAI responds to White House executive order on AI governance

OpenAI responds to White House executive order on AI governa...

2 hours ago 3
AXA DC500 HARD BOOK A4

AXA DC500 HARD BOOK A4

3 hours ago 1
PRX430 C48 SEWING MACHINE

PRX430 C48 SEWING MACHINE

3 hours ago 1
DK271 HS88 REFLECTIVE JACKETS

DK271 HS88 REFLECTIVE JACKETS

3 hours ago 1
RDY510 K42 Access Control Card

RDY510 K42 Access Control Card

3 hours ago 1
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Claude Code GitHub Action Flaw Let One Malicious Issue Hijac...

4 hours ago 1
ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools,...

5 hours ago 3
Chinese-Speaking Actor TA4922 Widens Its Global Reach

Chinese-Speaking Actor TA4922 Widens Its Global Reach

5 hours ago 2
Emergency Loans for business funding and personal Work From Home - Earn Something By Just Working At Home buy or sell