Over 29,300 exploitation attempts against a single WordPress plugin vulnerability were blocked, according to Wordfence telemetry — a figure that underscores active, automated attacks tied to CVE-2026-3300.
Wordfence telemetry and blocked attempts
Wordfence, the WordPress firewall and malware scanner, reports active exploitation of a critical flaw in the Everest Forms Pro plugin beginning April 13. The firewall blocked more than 29,300 attempts that leveraged CVE-2026-3300, and Wordfence’s report attributes most traffic to two IP addresses: 202.56.2[.]126 and 209.146.60.26. The company also published a set of offending IP addresses as indicators of compromise (IOCs) and recommends defenders block the main sources of attack traffic.
How CVE-2026-3300 allows remote code execution
The vulnerability affects Everest Forms Pro versions 1.9.12 and earlier and is rooted in the plugin’s Complex Calculation feature. That feature accepts values submitted through form fields, inserts them into a PHP code string, and executes the resulting string with PHP’s eval() function. Although user input is passed through sanitize_text_field(), that sanitization does not escape single quotes (') or other characters that influence PHP syntax. An attacker can therefore close the intended string, inject arbitrary PHP, and comment out the remainder of the generated code to force execution on the server.
Wordfence describes the exploitation pattern in detail: “The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina’.” The report adds that “The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.”
Attacker behavior: rogue administrator accounts and post-compromise risk
Telemetry shows attackers are using the code-execution primitive to create rogue administrator accounts. Wordfence explains: “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.” Administrator-level access, the report notes, allows attackers to “modify content, install plugins and themes, plant backdoors and webshells, and access private databases.” These are high-risk, high-impact actions that can persist beyond the initial exploit.
Patch history, disclosure, and recommendations for defenders
Researcher h0xilo submitted the issue through Wordfence in February. The Everest Forms developer released a patch that addresses the vulnerability on March 18. Wordfence’s recommendations to defenders include installing the March 18 patch where it has not already been applied, blocking the identified IP addresses, and reviewing logs and administrator accounts for suspicious activity—specifically for the string “diksimarina.”
What this means for website administrators, security teams, and the Everest Forms developer
- Website administrators: Confirm your Everest Forms Pro installation is updated to the March 18 patch that addresses CVE-2026-3300; review logs and administrator lists for any entries containing “diksimarina”; and search for signs of backdoors or webshells left by attackers.
- Security teams and incident responders: Add the reported IOCs and the two primary IP addresses (202.56.2[.]126 and 209.146.60.26) to detection and blocking lists where appropriate, and investigate any blocked attempts or successful creations of administrator accounts for evidence of lateral actions such as plugin/theme installs or database access.
- Everest Forms developer: The developer has released a patch; maintainers should continue to monitor telemetry for exploitation patterns, ensure users are notified to update, and consider additional hardening of features that dynamically evaluate code strings.
The record in this case is straightforward: a construct that inserts user-submitted values into an eval() call was weaponized in the wild, the exploit pattern is clear and repeatable, and defenders have concrete, immediate actions — apply the March 18 patch, search logs for “diksimarina,” and block the named IPs. The broader test for site owners and security teams will be whether those steps are taken quickly enough to prevent attackers who continue to scan and weaponize known plugin flaws.
