Critical Vulnerability in Everest Forms Pro Plugin Exploited by Cybercriminals
Hackers are vigorously exploiting a severe vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, enabling them to seize complete control of WordPress websites.
This security flaw affects all versions prior to 1.9.12 and can be exploited without any authentication to execute arbitrary code on the server.
Everest Forms Pro serves as a commercial extension for the WordPress form builder known as Everest Forms, widely utilized for creating contact forms, registration interfaces, and other bespoke application forms.
The vulnerability, identified as CVE-2026-3300, resides within the plugin’s Complex Calculation feature, which accepts values through form fields and interpolates them into a PHP code string. This is subsequently executed using PHP’s ‘eval()’ function.
Despite the presence of the ‘sanitize_text_field()’ function, which ostensibly sanitizes user inputs, it neglects to escape certain characters, including single quotes (‘) that could manipulate PHP syntax.
Consequently, an attacker may terminate the intended string, insert arbitrary PHP code, and effectively comment out the remainder of the generated code, thereby accomplishing code execution on the server.
Telemetry data gleaned from the Wordfence firewall and malware scanner indicates that this vulnerability is fervently being exploited in the wild to establish illicit administrator accounts.
“The attacker inputs a value in a text field starting with a single quote to close the enclosing string literal, followed by a PHP statement that invokes wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” elucidates a report from Wordfence.
“The consequent // comment marker guarantees that the rest of the generated PHP code, including the closing quote, is treated as a comment, thus avoiding a syntax error.”
“Upon processing the form and evaluating the calculation, the injected PHP code is executed, culminating in the creation of the malicious administrator account.”
With administrator-level access, attackers can execute high-risk operations on compromised websites, including content manipulation, plugin and theme installations, backdoor embedding, and database access.
The vulnerability was reported by researcher h0xilo to Wordfence in February, and a patch to rectify the issue was disseminated by Everest Forms’ developers on March 18.
Wordfence reports that these exploitation attempts primarily emanate from two specific IP addresses: 202.56.2[.]126 and 209.146.60.26, recommending that defenders block these addresses.
Furthermore, Wordfence’s report enumerates several offending IP addresses as indicators of compromise (IOCs).
Website administrators are also urged to meticulously examine log files and administrator accounts for any suspicious activities, particularly those containing the username “diksimarina.”
Source link: Bleepingcomputer.com.
