Everest Forms Pro Plugin RCE Lets Attackers Own WordPress (CVE-2026-3300)

Hackers are actively exploiting a critical vulnerability in the Everest Forms Pro WordPress plugin right now. The flaw, tracked as CVE-2026-3300, allows unauthenticated attackers to execute arbitrary PHP code and seize complete control of affected websites.

Everest Forms Pro is a commercial add-on for the Everest Forms plugin. It creates contact, registration, payment, and other custom application forms. Versions 1.9.12 and earlier are vulnerable. Any WordPress site running this plugin is exposed.

The eval() Trap

The vulnerability lives in the plugin’s Complex Calculation feature. This feature takes values from form fields and inserts them into a PHP code string. Then it executes that string using PHP’s eval function. Dangerous from the start.

User input passes through sanitize_text_field. It strips tags and encodes characters. Single quotes? It leaves them alone. An attacker submits a value beginning with a single quote. That closes the wrapping string literal. They inject arbitrary PHP code and comment out the remaining generated code. The result is full remote code execution. No authentication required.

Wordfence telemetry confirms active exploitation. Attackers are creating rogue administrator accounts.

“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username ‘diksimarina’,” a Wordfence researcher explained.

The use of eval in WordPress plugins is a persistent anti-pattern that fuels unauthenticated RCE across the plugin ecosystem. Developers relied on sanitize_text_field as a security control without understanding its limitations around single-quote escaping. That is a fundamental gap in secure coding education. Plugin marketplaces should ban eval and similar dangerous functions.

Who Gets Hit

Any organization running Everest Forms Pro versions 1.9.12 and earlier faces complete site takeover. This includes businesses using contact forms, registration, payment processing, and custom applications. The plugin is marketed as a premium solution for advanced forms. Many users are small businesses and e-commerce sites without dedicated security teams.

Fixing It

Update Everest Forms Pro to the latest patched version immediately. If patching is not possible right away, disable the Complex Calculation feature in the plugin settings. It breaks forms that rely on calculated fields. But it eliminates the attack vector.

Audit all WordPress administrator accounts. Remove unauthorized accounts, particularly those with usernames like ‘diksimarina’. Change passwords for all legitimate admin accounts. Review WordPress access logs and Wordfence alerts for suspicious form submissions containing single quotes and PHP code injections.

Sources

1. https://nvd.nist.gov/vuln/detail/CVE-2026-3300