Severe Vulnerability in Everest Forms Pro Plugin Targeted for Exploitation
A significant vulnerability within the Everest Forms Pro plugin for WordPress has been ruthlessly exploited, facilitating the hijacking of susceptible websites.
Recent analysis by the cybersecurity firm Wordfence indicates that this remote code execution flaw permits unauthorized attackers to execute PHP commands on compromised servers, effectively seizing control of the affected sites.
This critical issue, designated as CVE-2026-3300, exhibits a staggering 9.8 rating on the CVSS scale and impacts all versions up to and including 1.9.12.
Developed by WPEverest, Everest Forms Pro is a commercial form builder with approximately 4,000 active installations.
The vulnerability was initially identified by a researcher known as h0xilo, who reported it through Wordfence’s bug bounty initiative.
WPEverest has since addressed this flaw in version 1.9.13. Websites operating on earlier iterations remain at considerable risk, prompting administrators to implement the necessary updates posthaste.
Failures in Sanitization Enable Code Injection
The crux of the vulnerability lies within the Calculation add-on of the WordPress plugin, which executes calculation formulas via PHP’s eval() function.
Field values submitted are concatenated into this PHP string prior to execution, and the function sanitize_text_field() fails to escape single quotes.
An attacker can exploit this by introducing a value with a quote, thus breaking out of the surrounding string and injecting malicious PHP code that eval() subsequently executes.
Only forms utilizing the “Complex Calculation” feature are vulnerable to this PHP code injection. A variety of entries—including text, email, URL, select, or radio fields—can serve as potential access points.
This sets the stage for an attacker to create unauthorized administrator accounts, deploy webshells, and establish additional footholds within the compromised infrastructure.
Emergence of Rogue Admin Accounts and Countermeasures Against Attacks
Wordfence’s telemetry reveals that attacks commenced on April 13, 2026, approximately two weeks following public acknowledgment of the vulnerability. The primary payload of these attacks sought to register an administrator account under the moniker “diksimarina.”
In total, the firm has recorded over 29,300 blocked exploitation attempts. A notable spike occurred on May 16, during which more than 17,900 attempts were thwarted in a single day.
Log Monitoring Recommendations for Defenders
Defenders scrutinizing their logs should be vigilant for the following indicators:
- Administrator account registered as “diksimarina.”
- Email address: [email protected].
- Requests originating from 202.56.2.126, which is the source of over 26,300 blocked attempts.
Flaws that grant attackers administrative privileges continue to pose a recurring challenge for WordPress administrators.
Source link: Infosecurity-magazine.com.
