Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Staff Editor 2026-06-05
Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html

Publish Date: 2026-06-05 04:38:00

Source Domain: thehackernews.com

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.

The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13.

“This is due to the Calculation Addon’s process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(),” Wordfence said.

“The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the ‘Complex Calculation’ feature.”

Successful exploitation of the vulnerability could allow unauthenticated bad actors to execute arbitrary PHP code on the server, permitting them to create rogue administrator accounts, deploy web shells, and open other ways to burrow deeper into the server and establish persistent footholds.

According to the WordPress security company, attackers have been observed exploiting the flaw starting April 13, 2026. More than 29,300 exploit attempts targeting the defect have been blocked to date. Of these, 16 attack attempts occurred in the last 24 hours. The most common payload involves attempts to create an administrator account named “diksimarina” (email address: [email protected]) on the compromised site.

These attack efforts have originated from the following IP addresses –

  • 202.56.2.126
  • 209.146.60.26
  • 15.235.166.18
  • 2402:1f00:8000:800::40db
  • 185.78.165.153

Skimmer Attacks Exploit Stripe for C2

The disclosure comes as Sansec warned of…

Source

More Stories

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05
AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy