Everest Forms Pro Flaw Exploited in the Wild to Hijack WordPress Sites

A dangerous security issue has disrupted the WordPress ecosystem recently. Specifically, attackers are actively targeting a critical Everest Forms Pro flaw to take over vulnerable websites. This premium form-builder plugin helps users create interactive calculation elements. However, an input validation error leaves hosting environments wide open to full administrative compromise. Consequently, website owners must update their active software configurations immediately.

Inside the Remote Code Execution Flaw

The critical flaw, tracked as CVE-2026-3300, carries an alarming CVSS severity score of 9.8. It resides within the plugin’s specialized complex calculation feature. According to the Wordfence report, “This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to complete site compromise.”

How the Injection Happens

The underlying software uses a specific function called process_filter() to evaluate formulas. Specifically, “The function concatenates submitted form field values into a PHP code string, which is then passed to the eval() function”. Although the application applies basic text filtering, it fails to handle single quotes properly. Therefore, unauthenticated adversaries can submit malicious characters to break out of the string boundary. Subsequently, the underlying server executes the injected command sequence automatically.

Massive Wave of Active WordPress Exploitation

Threat intelligence indicators confirm that malicious groups are aggressively weaponizing this vulnerability in the wild. Furthermore, telemetry shows a sudden surge in automated web attacks over the past month. Wordfence reported that hackers started probing web portals on April 13, 2026. Remarkably, defenses blocked over 17,900 exploit requests on May 16, 2026, alone. This massive scale shows that hackers are leveraging the Everest Forms Pro flaw to scan for vulnerable targets indiscriminately.

Rogue Admin Account Creation

The primary objective of these automated campaigns is to secure long-term backdoor access. For instance, “The most common payload observed in our blocked requests attempts to create a new administrator account named ‘diksimarina’ on the affected site.” If successful, this rogue user allows criminals to upload web shells, manipulate local databases, or drop extra malware.

Immediate Protective Steps

Fortunately, a secure software update is already accessible. Administrators can neutralize this active WordPress exploitation wave by applying the vendor patch. Specifically, you must upgrade to Everest Forms Pro version 1.9.13 or higher right away. Additionally, security teams should audit their user profiles for unauthorized handles like “diksimarina”. Ultimately, enforcing prompt dependency tracking remains your absolute best line of defense against severe web server damage.