Critical Vulnerability in Everest Forms Pro Leads to Hijacking of WordPress Sites

Last updated on June 9, 2026June 9, 2026 by Souvik Banerjee on Categories WordPress

Exploitation of Critical RCE Vulnerability in Everest Forms Pro (CVE‑2026‑3300)
Malicious Actors Establish Rogue Admin Account “diksimarina” via PHP Injection
Nearly 30,000 Takeover Attempts Thwarted; Administrators Urged to Implement Patches and Block Key IPs

Security experts have alerted the public to a pervasive hacking campaign specifically targeting certain WordPress websites that employ a widely used plugin.

Wordfence has reported that Everest Forms Pro, a prominent WordPress tool for crafting various forms such as contracts, registrations, and payments, harbors a critical vulnerability. This flaw enables nefarious individuals to seize complete control over affected websites.

Identified as a Remote Code Execution (RCE) vulnerability due to PHP code injection, it is categorized as CVE-2026-3300 and has been assigned a severity score of 9.8 out of 10. This vulnerability impacts all iterations of the plugin up to and including version 1.9.12.

Patch Released Months Ago

Wordfence has since cautioned that this flaw is being actively exploited to establish illegitimate admin accounts on vulnerable platforms:

According to Wordfence, the attacker inserts a value in a text field that commences with a single quote, effectively terminating the string literal.

This is followed by a PHP command invoking wp_insert_user() to create a new administrator account with the username ‘diksimarina ‘.

“The appended // comment marker ensures that the remaining PHP code, including the closing quote, is interpreted as a comment, thereby preventing syntax errors.”

The report elucidates, “During form processing, once the calculations are executed, the injected PHP code becomes operational, resulting in the creation of the malicious admin account.”

With the establishment of an admin account, malicious entities can manipulate the website extensively, including the extraction of stored files, redirection of users, or even the dissemination of malware.

The vulnerability was initially revealed in February, and by March, the developers of Everest Forms had deployed a fix. However, exploitation attempts surged by mid-April.

To date, Wordfence has successfully thwarted nearly 30,000 attempts, primarily emanating from two distinct IP addresses.

A computer monitor displaying the Wordfence security dashboard sits on a desk in a server room, with a keyboard and coffee cup nearby.

Administrators concerned about potential breaches should actively block the two IP addresses, 202.56.2[.]126 and 209.146.60.26, and should scrutinize log files for any occurrences of the string “diksimarina.”

Source link: Techradar.com.

Disclosure: This article is for general information only and is based on publicly available sources. We aim for accuracy but can't guarantee it. The views expressed are the author's and may not reflect those of the publication. Some content was created with help from AI and reviewed by a human for clarity and accuracy. We value transparency and encourage readers to verify important details. This article may include affiliate links. If you buy something through them, we may earn a small commission — at no extra cost to you. All information is carefully selected and reviewed to ensure it's helpful and trustworthy.

Reported By

Souvik Banerjee

I’m Souvik Banerjee from Kolkata, India. As a Marketing Manager at RS Web Solutions (RSWEBSOLS), I specialize in digital marketing, SEO, programming, web development, and eCommerce strategies. I also write tutorials and tech articles that help professionals better understand web technologies.