Executive Summary
A critical vulnerability in the Everest Forms Pro WordPress plugin, tracked as CVE-2026-3300 (CVSS 9.8), is being actively exploited to compromise WordPress sites globally. This flaw enables unauthenticated attackers to execute arbitrary PHP code remotely, resulting in full site takeover, unauthorized administrator account creation, and the deployment of persistent web shells. The vulnerability is present in all versions of Everest Forms Pro up to and including 1.9.12, with a patch available in version 1.9.13. Over 29,000 exploit attempts have been detected in the wild, with attackers leveraging automated infrastructure to target a broad spectrum of WordPress installations. Immediate remediation is essential to prevent compromise and data loss.
Threat Actor Profile
The exploitation of the Everest Forms Pro vulnerability is currently attributed to opportunistic cybercriminals rather than a specific advanced persistent threat (APT) group. Attackers are leveraging automated scanning and exploitation tools to identify and compromise vulnerable WordPress sites at scale. The observed tactics, techniques, and procedures (TTPs) indicate a focus on mass exploitation for the purposes of establishing persistent access, deploying web shells, and creating rogue administrator accounts. The attacker infrastructure includes a distributed set of IP addresses, some of which are associated with known malicious activity and botnet operations. The lack of targeted victimology suggests that the primary motivation is financial gain through site hijacking, potential ransomware deployment, or resale of access on underground forums.
Technical Analysis of Malware/TTPs
The core vulnerability resides in the "Complex Calculation" feature of the Everest Forms Pro Calculation Addon. Specifically, the process_filter() function concatenates user-supplied form field values into a PHP code string, which is then executed via the dangerous eval() function. The input sanitization mechanism, sanitize_text_field(), fails to properly escape characters that are significant in PHP code contexts, such as single quotes and semicolons. This oversight allows attackers to inject arbitrary PHP code through any string-type form field, including text, email, URL, select, and radio inputs.
Upon successful exploitation, attackers typically execute payloads that create new administrator accounts with hardcoded credentials (e.g., username "diksimarina", email "diksimarina@gmail.com"). In addition, web shells are often deployed to provide persistent remote access and facilitate further post-exploitation activities. The web shells are commonly obfuscated and placed in writable directories within the WordPress installation, such as /wp-content/uploads/. Attackers may also modify core WordPress files or install malicious plugins to maintain access.
The exploitation chain is fully remote and requires no authentication or user interaction. Attackers use automated scripts to submit malicious payloads to vulnerable forms, often rotating through a list of target sites harvested via search engines or reconnaissance tools. The attack vector is network-based, and exploitation can occur as soon as a vulnerable form is exposed to the internet.
Exploitation in the Wild
Active exploitation of CVE-2026-3300 was first observed on April 13, 2026. Telemetry from security vendors such as Wordfence indicates over 29,300 blocked exploit attempts, with a notable spike in activity following public disclosure of the vulnerability and the release of proof-of-concept (PoC) exploit code. In the last 24 hours alone, at least 16 new attack attempts have been recorded.
Attackers are primarily using payloads that create rogue administrator accounts, enabling them to bypass existing access controls and perform arbitrary actions within the WordPress dashboard. The most commonly observed rogue account uses the username "diksimarina" and the email address "diksimarina@gmail.com". In addition to account creation, attackers deploy web shells and attempt to exfiltrate sensitive data or pivot to other systems within the victim's network.
The attacker infrastructure is distributed, with observed IP addresses including 202.56.2.126, 209.146.60.26, 15.235.166.18, 2402:1f00:8000:800::40db, and 185.78.165.153. These IPs have been linked to previous malicious campaigns and are likely part of a larger botnet or exploitation-as-a-service operation.
Indicators of compromise (IOCs) associated with this campaign include the presence of new administrator accounts, unexpected PHP files or web shells in WordPress directories, suspicious form submissions containing encoded or escaped special characters, and outbound connections from the web server to attacker-controlled infrastructure.
Victimology and Targeting
The exploitation campaign is indiscriminate, targeting any publicly accessible WordPress site running a vulnerable version of Everest Forms Pro. There is no evidence of sector-specific targeting; affected organizations include small businesses, e-commerce platforms, educational institutions, and non-profit organizations. The common denominator among victims is the presence of the vulnerable plugin and exposure of forms utilizing the "Complex Calculation" feature.
Attackers are leveraging automated tools to scan for and exploit vulnerable sites en masse, with no apparent preference for geography, industry, or organizational size. The widespread nature of the campaign increases the risk of collateral damage, including defacement, data theft, and potential use of compromised sites for further malicious activity such as phishing or malware distribution.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2026-3300. All organizations using Everest Forms Pro must update to version 1.9.13 or later, which addresses the underlying vulnerability by properly sanitizing user input and removing the unsafe use of eval(). If immediate patching is not possible, the "Complex Calculation" feature should be disabled on all forms to eliminate the attack vector.
Additional mitigation steps include restricting form access to authenticated users where feasible, deploying web application firewall (WAF) rules to block form submissions containing PHP code injection patterns (such as single quotes, eval, exec, system, and passthru), and monitoring for indicators of compromise. Example ModSecurity rules can be implemented to detect and block suspicious payloads at the application layer.
Organizations should conduct thorough log analysis to identify suspicious form submissions and review WordPress and web server logs for evidence of unauthorized administrator account creation or unexpected PHP file modifications. File integrity monitoring solutions can help detect the deployment of web shells or other malicious files. Network monitoring should be configured to alert on outbound connections to known attacker infrastructure.
In the event of suspected compromise, immediate incident response actions should include resetting all administrator credentials, removing unauthorized accounts, scanning for and removing web shells, and restoring affected systems from known-good backups.
References
- The Hacker News: Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
- SentinelOne CVE-2026-3300 Vulnerability Database
- Wordfence Vulnerability Report
- GitHub Advisory: GHSA-jfqc-5rvh-wp99
- NVD Entry for CVE-2026-3300
- Reddit: Critical Everest Forms Pro flaw exploited to take over WordPress sites
About Rescana
Rescana is a leader in third-party risk management (TPRM) and cyber threat intelligence. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. By leveraging advanced analytics and real-time threat intelligence, Rescana enables proactive defense against emerging vulnerabilities and evolving attack vectors. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.
