WordPress Plugin RCE Under Mass Exploitation — 29K Attacks

Attackers are mass-exploiting a critical code execution vulnerability in the Everest Forms Pro WordPress plugin, with over 29,300 attack attempts blocked since mid-April despite a patch being available for months.

CVE-2026-3300 carries a CVSS score of 9.8 and affects all versions of Everest Forms Pro through 1.9.12. The flaw allows unauthenticated attackers to execute arbitrary PHP code on vulnerable sites—no login required, no user interaction needed.

How the Vulnerability Works

The bug lives in the Calculation Addon's process_filter() function. When a form uses the "Complex Calculation" feature, the function takes user-submitted form field values and concatenates them into a PHP string that gets passed directly to eval().

The plugin applies sanitize_text_field() to user input, but that function does not escape single quotes or other PHP syntax characters. An attacker can inject malicious PHP code through any string-type form field—text, email, URL, select, or radio inputs all work.

The attack path is brutally simple: find a site running Everest Forms Pro with calculations enabled, submit a form with PHP code in a text field, and watch it execute.

Active Exploitation Patterns

Security researchers tracking exploitation report a consistent attack pattern. The most common payload attempts to create a rogue administrator account with specific credentials:

• Username: diksimarina
• Email: [email protected]

Once attackers establish admin access, they deploy web shells and burrow deeper into the server. The admin account creation is just the foothold—persistent backdoor access follows.

Source IP addresses observed in attacks include:

• 202.56.2.126
• 209.146.60.26
• 15.235.166.18
• 2402:1f00:8000:800::40db
• 185.78.165.153

These indicators can help administrators identify compromise attempts in access logs.

Timeline and Patch Status

The vulnerability was patched in version 1.9.13, released on March 18, 2026. Yet active exploitation began on April 13, 2026—nearly a month after the fix became available.

This delay between patch release and exploitation start suggests attackers reverse-engineered the fix to understand the vulnerability, then built working exploits. The pattern is common: security patches often serve as roadmaps for attackers targeting sites slow to update.

With approximately 4,000 active installations, Everest Forms Pro has a relatively small attack surface compared to other WordPress plugins with hundreds of thousands of installs. But the severity of unauthenticated RCE means even that smaller pool represents significant risk.

Detection and Response

Administrators should take immediate action:

1. Update to version 1.9.13 or later — this is the only complete fix
2. Search for the diksimarina user account — its presence indicates compromise
3. Audit admin accounts created after April 13, 2026
4. Check for web shells in plugin directories and wp-content/uploads
5. Review access logs for the IP addresses listed above

If you find evidence of compromise, assume the worst: attackers with code execution can steal database credentials, modify other plugins, and establish multiple persistence mechanisms. A compromised site typically requires full incident response, not just plugin updates.

The Broader Problem

CVE-2026-3300 exemplifies why WordPress security remains challenging. The plugin ecosystem is vast, update discipline varies wildly across site owners, and vulnerabilities in premium (paid) plugins often receive less scrutiny than their free counterparts.

The use of eval() with user input is a textbook security anti-pattern. That it appeared in a premium plugin highlights gaps in code review practices across the WordPress ecosystem. For sites that depend on WordPress for business operations, this vulnerability reinforces the case for regular security audits and, critically, automated update policies.

Nearly three months after the patch release, attacks continue at pace. The 29,300+ blocked attempts represent only what researchers could observe—actual exploitation numbers are certainly higher. Every site still running version 1.9.12 or earlier remains a target, and attackers show no signs of moving on.