CybersecurityVulnerability Management

Everest Forms Pro Flaw Exploited for Remote Code Execution

Analyst 207||Source: InfoSecMag
WordPress site backend on laptop with Everest Forms Pro plugin visible.

More than 29,300 exploit attempts have been blocked against a critical WordPress plugin flaw tracked as CVE-2026-3300, according to telemetry published by Wordfence.

CVE-2026-3300: how a calculation feature became a remote code execution hole

The vulnerability lies in the Calculation add-on of the Everest Forms Pro plugin for WordPress. The add-on runs a form’s calculation formula through PHP’s eval() function after concatenating submitted field values into the PHP string. Because sanitize_text_field() does not escape single quotes, an attacker can include a single quote in a submitted value, break out of the wrapping string and inject PHP code that eval() then executes. The result is unauthenticated remote code execution that can let an attacker run PHP on the target server and take over the site.

Only forms that have the “Complex Calculation” feature switched on are exposed. On those forms, any text, email, URL, select or radio field can be used as the injection entry point.

Scope: Everest Forms Pro versions, installations, and the patch

The flaw affects every release of Everest Forms Pro up to and including 1.9.12 and carries a CVSS score of 9.8. Everest Forms Pro is a commercial form builder from developer WPEverest with roughly 4,000 active installations. WPEverest issued a patch in version 1.9.13; administrators running earlier builds remain exposed and have been urged to update without delay. The bug was reported to Wordfence’s bug bounty program by a researcher using the handle h0xilo.

Active exploitation: Wordfence telemetry and observable indicators

Wordfence reported that active exploitation began on April 13, 2026, about two weeks after the vulnerability’s public disclosure. Its firewall has blocked more than 29,300 exploit attempts in total. A single-day surge on May 16 accounted for over 17,900 blocked attempts.

Wordfence identified a leading payload that attempted to register an administrator account named “diksimarina.” The company pointed defenders to a small set of observable indicators to help identify compromise or attempted exploitation:

  • An administrator account using the name "diksimarina"
  • The email address diksimarina@gmail.com
  • Requests originating from 202.56.2.126, which was the source of more than 26,300 blocked attempts

Potential impact: what successful exploitation allows

Because the vulnerability allows attackers to execute arbitrary PHP, successful exploitation can create rogue administrator accounts, plant webshells and open further footholds on compromised servers. Wordfence’s analysis emphasizes that the flaw enables attackers to take over vulnerable sites rather than merely deface them.

What this means for technologists, affected enterprises, and security teams

  • Technologists and security teams: Sites using Everest Forms Pro should update to version 1.9.13 immediately; only forms with the "Complex Calculation" feature are vulnerable, so review and temporarily disable that feature where feasible until patched.
  • Affected enterprises and procurement leaders: The plugin is a commercial product with roughly 4,000 active installations—confirm whether your catalogs include Everest Forms Pro and require proof of the 1.9.13 update for hosted sites and managed WordPress environments.
  • Defenders and incident responders: Because Wordfence telemetry shows automated, high-volume exploitation attempts and a repeated payload attempting to add an administrator named "diksimarina," review recent logs for the named account, the diksimarina@gmail.com address and requests from 202.56.2.126; consider those indicators when triaging alerts.

The narrow technical root—unsanitized single quotes concatenated into an eval() call—made the problem both simple to explain and high risk in practice. WPEverest has released a fix in 1.9.13 and administrators have been urged to update; the rapid, high-volume exploitation reported by Wordfence illustrates how quickly an exploit can be weaponized once a reliable injection path is public. Administrators who have not yet updated must weigh the near-term risk of automated takeover attempts against the steps required to patch and validate their sites.

Source: https://www.infosecurity-magazine.com/news/everest-forms-pro-rce-actively/

Emerging ThreatsRemote Code ExecutionWordpressPlugin VulnerabilityCVE-2026-3300Everest Forms Pro
Related Intelligence

Continue Reading

Network operations room with server racks and a lone workstation screen displaying a blurred warning message.

Cisco Fixes Unified CM Flaw as Exploit Code Goes Public

Cisco has patched a critical vulnerability in its Unified Communications Manager, known as CVE-2026-20230, which could allow hackers to write arbitrary files to the server's operating system and potentially escalate privileges to root. With proof-of-concept exploit code now public, the threat level has significantly increased.

Analyst 207
Rows of computer servers and networking equipment sit idle in a brightly-lit, empty enterprise server room, conveying a…

AI Agents Expose Enterprise Security Gaps

Researchers uncovered 344 alarming cases of AI agents wreaking havoc on enterprises between 2023 and 2026, highlighting the devastating consequences of unchecked AI privileges. This stark statistic exposes the brittle nature of operations when AI acts without human oversight.

Analyst 207
Windows device on office desk with papers, pen, and notebook nearby.

Microsoft Resolves Windows Driver Update Glitch Tied to Caching Issue

Microsoft fixed a glitch that caused some Windows devices to install drivers despite having auto-update policies in place, tracing the issue to a caching service misconfiguration. The company has since updated the affected service cache to prevent similar problems.

Analyst 207
Smartphone displays chatbot login page on a neutral surface with laptop in background.

Meta's AI Chatbot Exposed to Account Takeover Vulnerability

A recent vulnerability in Meta's AI chatbot has raised red flags about the security of LLM chatbots, which can be exploited through various tactics that are difficult to block. This alarming weakness was demonstrated in a video showing an attacker taking over an Instagram account by simply interacting with Meta's AI support chatbot.

Analyst 207