A critical-severity vulnerability in the Everest Forms Pro WordPress plugin has been exploited in the wild for months for site takeover, Defiant warns.
Present on more than 100,000 WordPress websites, Everest Forms is designed for creating contact forms, order forms, payment forms, and surveys.
Tracked as CVE-2026-3300 (CVSS score of 9.8), the security defect allows unauthenticated, remote attackers to inject PHP code into form fields using the Complex Calculation feature.
Although user input is sanitized, a vulnerable function in the plugin does not escape single quotes and other characters, and adds the provided values to a PHP code string.
A remote, unauthenticated attacker can supply a value containing a single quote followed by malicious PHP code and a comment character, which results in the injection of PHP code that is executed on the server.
“This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the ‘Complex Calculation’ feature,” Defiant explains.
Threat actors can exploit the security flaw to create administrative accounts or deploy web shells, which allows them to take over vulnerable WordPress sites.
The CVE was addressed in March, in Everest Forms Pro version 1.9.13, and in-the-wild exploitation started on April 13, Defiant says. To date, the WordPress security firm has blocked over 29,000 exploit attempts targeting the vulnerability.
Most of the observed attacks attempted to create a new administrative account named ‘diksimarina’.
WordPress users are advised to update their Everest Forms Pro deployments to version 1.9.13 or newer as soon as possible, and to look for unauthorized administrator accounts, mainly for the username ‘diksimarina’ or the email address ‘[email protected]’.
Related: Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs
Related: WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Related: CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
Related: Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks
