High

Hackers are actively exploiting a critical unauthenticated Remote Code Execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, tracked as CVE-2026-3300 (CVSS High). The flaw affects all plugin versions up to 1.9.12 and allows remote attackers to execute arbitrary PHP code on vulnerable websites without requiring authentication. Although the vendor released a patch in version 1.9.13 on March 18, 2026, public disclosure followed on March 30, and active exploitation was observed beginning April 13. Security researchers reported more than 29,300 blocked exploitation attempts, including a significant surge of over 17,900 attacks recorded on May 16, highlighting the widespread targeting of unpatched WordPress installations.

The vulnerability originates from the plugin’s “Complex Calculation” feature, specifically within the process_filter() function. This function dynamically builds PHP code using user-supplied form data and executes it through the dangerous eval() function. While inputs are processed with sanitize_text_field(), the implementation fails to properly escape special characters such as single quotes. As a result, attackers can break out of the intended string context and inject malicious PHP commands through publicly accessible form fields, including text, email, URL, select, and radio inputs. By appending a single quote followed by arbitrary PHP code and a comment sequence, threat actors can manipulate the generated code and gain execution on the server.

Analysis of observed attacks shows that threat actors are primarily using the vulnerability to create unauthorized administrator accounts on compromised WordPress sites. A common exploitation technique involves injecting PHP code that invokes the WordPress wp_insert_user() function to create a rogue administrator account, frequently using the username “diksimarina.” Once administrative access is obtained, attackers can upload web shells, install persistent backdoors, modify website content, steal data, or further compromise the hosting environment. Most attacks target the /wp-admin/admin-ajax.php endpoint with specially crafted POST requests designed to exploit the vulnerable calculation logic, making websites with the Complex Calculation feature enabled particularly attractive targets.

Threat intelligence data identified several highly active malicious IP addresses associated with exploitation attempts, including 202.56.2[.]126, 209.146.60[.]26, 15.235.166[.]18, 2402:1f00:8000[:]800::40db, and 185.78.165[.]153. Organizations should treat these as indicators of compromise (IOCs) and monitor or block related activity where appropriate. While Wordfence customers received virtual patching protection through firewall rules before public disclosure, relying solely on firewall defenses is not sufficient. Website administrators should immediately upgrade to Everest Forms Pro version 1.9.13 or later, review WordPress user accounts for unauthorized administrators, inspect server and web logs for suspicious requests targeting admin-ajax.php, and investigate any indicators of compromise. Given its unauthenticated nature, ease of exploitation, and ongoing active abuse, CVE-2026-3300 represents a severe and high-impact threat to WordPress environments.