CVE-2026-3300 Everest – Hackers are actively exploiting a critical remote-code-execution flaw in the Everest Forms Pro WordPress plugin to take full control of websites. The vulnerability, CVE-2026-3300, can be triggered without authentication, and it has already been used to create
For WordPress site owners, the danger isn’t just that a plugin bug exists—it’s that it’s already being used.
Everest Forms Pro, a commercial add-on for the Everest Forms plugin, is at the center of an active takeover campaign after a critical vulnerability, CVE-2026-3300, was found to let attackers execute arbitrary code on the server and gain complete control of a WordPress site.
The flaw affects Everest Forms Pro versions 1.9.12 and earlier. Crucially, it can be leveraged without authentication. That’s what makes the incident feel so immediate: an attacker doesn’t need credentials to start the chain of events.
The vulnerability sits inside a feature called “Complex Calculation.” It accepts values submitted through form fields and inserts them into a PHP code string. The plugin then executes the resulting code using PHP’s ‘eval ()’ function. While user input is passed through a ‘sanitize_text_field()’ function. that sanitization does not escape single quotes (‘) or other characters that can influence PHP syntax.
In practice, that gap lets an attacker close the intended string, inject arbitrary PHP code, and comment out the rest of the generated code so it won’t break execution. Wordfence describes the technique this way:
“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” the report explains.
“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.”
“When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”
Once attackers reach administrator-level access, the consequences are broad and high-stakes. With full power over the breached website, they can modify content, install plugins and themes, plant backdoors and webshells, and access private databases.
The timeline matters. Researcher h0xilo submitted the CVE-2026-3300 vulnerability through Wordfence in February. On March 18, the Everest Forms developer released a patch intended to fix the issue.
But Wordfence’s telemetry indicates exploitation in the wild began later. Active exploitation started on April 13, and the firewall blocked over 29,300 attempts.
The attack traffic, according to Wordfence data, is linked primarily to two IP addresses: 202.56.2[.]126 and 209.146.60.26. Wordfence recommends defenders block them. At the same time. the report also lists several offending IP addresses as indicators of compromise (IOCs). reflecting that real-world activity often spreads beyond a single source.
What makes the current moment especially uncomfortable for defenders is what these attacks are designed to create. Wordfence’s malware scanner for WordPress says the exploitation campaign is being used to generate rogue administrator accounts.
That’s why the immediate advice isn’t abstract. Website administrators are recommended to review log files and administrator accounts for suspicious activity—especially any activity containing the string “diksimarina.”
The central tension in this story is stark: a patch was released on March 18, yet exploitation ramped up on April 13, turning a specific plugin weakness into a fast-moving takeover tool across the WordPress ecosystem.
Everest Forms Pro CVE-2026-3300 WordPress vulnerability plugin exploit eval() rogue administrator account Wordfence malware scanner for WordPress wp_insert_user security patch