Actively Exploiting WordPress Plugin Flaw for Hackers Vulnerability

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin. This flaw allows unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable websites.

The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread exploitation campaigns.

The vulnerability was publicly disclosed on March 30, 2026, after the vendor released a patch on March 18, 2026. Despite the availability of a fix, threat actors began actively targeting unpatched installations on April 13, 2026.

According to Wordfence threat intelligence data, more than 29,300 exploitation attempts have been blocked, with a significant spike of over 17,900 attacks recorded on May 16 alone.

WordPress Plugin Exploitation

The root cause of the issue lies in the plugin’s “Complex Calculation” feature, specifically within the process_filter() function.

This function dynamically constructs PHP code by concatenating user-supplied form inputs, then evaluates it with the dangerous eval() function.

Although input is processed with sanitize_text_field(), the function fails to escape critical characters, such as single quotes, which allows attackers to bypass string context and inject malicious PHP code.

This design flaw allows unauthenticated attackers to craft malicious payloads through standard form fields such as text, email, URL, select, and radio inputs.

By injecting a single quote followed by arbitrary PHP code and a comment sequence, attackers can manipulate the generated code and achieve execution on the server.

Observed attack patterns indicate that threat actors primarily exploit this vulnerability to create rogue administrator accounts.

In one common exploitation attempt, attackers inject PHP code that calls WordPress’s wp_insert_user() function to create a new admin user with the username “diksimarina.”

Once administrative access is established, attackers can upload webshells, modify site content, deploy backdoors, or pivot further into the hosting environment.

Security telemetry identified multiple IPs actively exploiting Everest Forms Pro, generating thousands of malicious requests and serving as strong IOCs for blocking and monitoring.

High-Activity Malicious IP Addresses:

202.56.2[.]126: Tens of thousands of blocked requests.

209.146.60[.]26: Several thousand exploit attempts.

15.235.166[.]18: Hundreds of malicious requests.

2402:1f00:8000[:]800::40db: Active IPv6 exploit activity.

185.78.165[.]153: Confirmed hostile scanning activity.

The attacks typically target the /wp-admin/admin-ajax.php endpoint, submitting specially crafted POST requests designed to exploit the vulnerable calculation logic.

The vulnerability poses a significant risk because it does not require authentication and can be triggered remotely through publicly accessible forms.

Any website using Everest Forms Pro with the Complex Calculation feature enabled is particularly exposed.

Wordfence customers received early protection through firewall rules as early as February 27, 2026, while free users were protected starting March 29, 2026.

However, relying solely on virtual patching is insufficient, as updating to the latest patched version, 1.9.13, remains critical to mitigate the risk fully.

Website administrators are strongly advised to update the plugin immediately, audit user accounts for unauthorized administrator creation, and review server logs for suspicious requests.

Indicators of compromise include unknown admin users, especially those matching observed attacker patterns, and requests originating from known malicious IP addresses.

Given the active exploitation and low barrier to attack, this vulnerability represents a high-impact threat to WordPress environments, reinforcing the need for timely patching and continuous monitoring.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.