Critical Vulnerability in Everest Forms Pro Plugin Exposes WordPress Sites to Ransomware and Data Theft

Hackers are exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, allowing them to seize control of WordPress websites without authentication. The flaw, affecting versions 1.9.12 and earlier, leverages the plugin’s Complex Calculation feature to execute arbitrary code via PHP’s eval() function, according to a report by Wordfence.

How the Exploit Works

The vulnerability resides in the Complex Calculation feature, which processes form inputs and inserts them into a PHP code string. Despite using sanitize_text_field() to sanitize user input, the function fails to escape single quotes, enabling attackers to inject malicious PHP code. By closing the intended string with a single quote and appending a wp_insert_user() call, hackers create rogue administrator accounts, such as “diksimarina,” as detailed in the Wordfence analysis.

“The trailing // comment marker ensures the rest of the generated PHP code is treated as a comment, preventing syntax errors,” the report explains. Once executed, the injected code grants attackers full administrator privileges, allowing them to modify content, install backdoors, or access sensitive databases.

Exploitation Timeline and Scope

The vulnerability was disclosed by researcher h0xilo through Wordfence in February 2026. A patch was released on March 18, but exploitation began as early as April 13, with Wordfence blocking over 29,300 attempts. The majority of attacks originate from two IP addresses: 202.56.2[.]126 and 209.146.60.26, according to the report.

“This is a high-risk flaw that could lead to complete website compromise if left unpatched,” said Wordfence. The agency also identified multiple indicators of compromise (IOCs), urging administrators to block the malicious IPs and review logs for suspicious activity, particularly the “diksimarina” username.

Patch and Response

Everest Forms developers released a patch on March 18 to address the issue. However, the rapid deployment of exploit kits suggests many sites remain vulnerable. Wordfence’s telemetry indicates that 54% of attacks succeed, with only 14% triggering alerts, leaving the majority undetected.

“Organizations must prioritize patching and monitor for unusual administrator activity,” advised the report. Security teams are also recommended to audit form configurations and disable the Complex Calculation feature if not in use.

Recommendations for WordPress Administrators

• Update Immediately: Apply the latest Everest Forms Pro patch to mitigate the risk of exploitation.
• Block Malicious IPs: Use firewall rules to block the identified IP addresses (202.56.2[.]126 and 209.146.60.26).
• Review Logs: Check for unauthorized administrator accounts, particularly those containing the string “diksimarina.”
• Enable Two-Factor Authentication: Add an extra layer of security to prevent unauthorized access.

The incident underscores the importance of proactive security measures in managing third-party plugins. As WordPress powers over 43% of websites, vulnerabilities in popular tools like Everest Forms Pro pose a significant threat to the broader digital ecosystem.