Bottom line: An unpatched security vulnerability in Everest Forms Pro (up to version 1.9.12) allows unauthenticated attackers to execute arbitrary PHP code on WordPress websites and take control.
Security firm Defiant warns of active exploitation of a critical remote code execution vulnerability in the WordPress plugin Everest Forms Pro (CVE-2026-3300, CVSS 9.8). Attackers exploit insufficient input sanitization in the calculation add-on to execute PHP code and create admin accounts.
Under the CVE ID CVE-2026-3300, a remote code execution vulnerability in the commercial WordPress plugin Everest Forms Pro is registered with a critical severity rating of 9.8 on the CVSS scale. All plugin versions up to and including 1.9.12 are affected. The flaw is located in the “process_filter” function of the calculation add-on, which processes mathematical formulas and executes them via the PHP function eval. The input sanitization used via sanitize_text_field does not escape single quotes, allowing unauthenticated attackers to inject malicious code through public form fields.
The attack requires neither user interaction nor login. A manipulated value with a single quote is sufficient to interrupt the PHP string and execute custom code on the server. Active exploitation began on April 13, 2026, approximately two weeks after the security warning was published. The security service Wordfence has since recorded over 29,300 blocked attack attempts, including over 17,900 requests on a single day in May. The majority of requests originated from IP address 202.56.2.126.
Attackers aim for complete takeover of affected websites. In observed attack waves, actors typically created a new admin account with the username “diksimarina” and email address “diksimarina@gmail.com” or deployed web shells for persistent remote access. Developer WPEverest released the patched version 1.9.13 on March 18, 2026.
For CISOs and website operators, an immediate update to version 1.9.13 or later is strongly recommended. If an update is not immediately possible, the calculation function should be disabled in all forms or the entire plugin temporarily deactivated. After updating, review the user list for unauthorized accounts; additionally, server directories should be searched for unexpected PHP files to detect evidence of compromise that may have already occurred.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.6.5.