Hackers are actively exploiting a critical vulnerability, tracked as **CVE-2026-3300**, in the **Everest Forms Pro** plugin. This flaw grants attackers the ability to take complete control of a **WordPress** website without requiring any authentication. The security issue affects versions 1.9.12 and earlier of the plugin, enabling unauthenticated arbitrary code execution on the server. **Everest Forms Pro** is a commercial add-on for the **WordPress** form builder plugin **Everest Forms**, used widely for creating contact, registration, payment, and various custom application forms. ### Deep Dive into CVE-2026-3300 **CVE-2026-3300** resides within the plugin’s Complex Calculation feature. This functionality is designed to accept values submitted through form fields and embed them into a PHP code string, subsequently executing the resulting code using PHP’s `eval()` function. While user input is passed through a `sanitize_text_field()` function, this sanitization mechanism crucially fails to escape single quotes (') or other characters that can influence PHP syntax. This oversight creates a critical injection vector. As a result, an attacker can craft malicious input to prematurely close the intended string, inject arbitrary PHP code, and then comment out the remaining generated code. This technique successfully bypasses security measures, leading to remote code execution on the server. ### Anatomy of the Attack Telemetry data from **Wordfence**, a prominent firewall and malware scanner for **WordPress**, confirms that the vulnerability is being actively exploited in the wild to create rogue administrator accounts. **Wordfence** detailed the exploitation method in a [report](https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-critical-vulnerability-in-everest-forms-pro-plugin/), explaining: > “The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls `wp_insert_user()` to create a new administrator account with the username 'diksimarina’. The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error. When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.” ### The Critical Impact Gaining administrator-level access grants attackers full authority over the compromised website. This includes the ability to modify content, install malicious plugins and themes, plant backdoors and webshells for persistent access, and access private databases, posing significant risks to data integrity and user privacy. ### Timeline and Mitigation The **CVE-2026-3300** vulnerability was initially submitted by researcher **h0xilo** through **Wordfence** in February. The developers of **Everest Forms** released a patch addressing the issue on March 18. Despite the availability of a patch, active exploitation commenced on April 13. **Wordfence** reports blocking over 29,300 exploitation attempts since then, highlighting the widespread nature of the attacks.  **Wordfence** indicates that exploitation attempts primarily originate from two specific IP addresses: `202.56.2[.]126` and `209.146.60.26`, recommending that defenders block these indicators of compromise (IOCs). Website administrators are strongly advised to immediately update **Everest Forms Pro** to the latest version (1.9.13 or newer). Furthermore, it is crucial to review log files and existing administrator accounts for any suspicious activity, particularly entries containing the string “diksimarina”, which indicates a potential compromise.