Security researchers have warned WordPress website owners about an actively exploited critical vulnerability in the Everest Forms Pro plugin. The flaw allows attackers to execute malicious PHP code on vulnerable websites and potentially take complete control of them.
According to a report from Wordfence, attackers have already attempted to exploit the vulnerability more than 29,300 times. The issue affects Everest Forms Pro versions 1.9.12 and earlier and has been assigned CVE-2026-3300 with a CVSS score of 9.8, which is considered critical.
The vulnerability was publicly disclosed on March 30, 2026, although a patched version had already been released by the plugin developer on March 18. Wordfence says attackers started actively exploiting the flaw on April 13, with a major spike recorded on May 16 when more than 17,900 attack attempts were blocked in a single day.
The issue exists in the plugin’s Complex Calculation feature. Researchers found that user-submitted form values are inserted into dynamically generated PHP code and executed using PHP’s eval() function.
While the plugin uses WordPress’s sanitize_text_field() function to clean input, it does not properly escape single quotes and other characters that can alter PHP code execution.
As a result, attackers can submit specially crafted values through form fields such as text, email, URL, select, or radio fields. If a form uses the Complex Calculation feature, the malicious code can be executed on the server.
This means attackers do not need an account or login credentials to launch an attack. The vulnerability can be exploited by unauthenticated users.
Remote Code Execution vulnerabilities are among the most dangerous security flaws because they allow attackers to run arbitrary code on a server. Successful exploitation can lead to complete website compromise. Attackers can create administrator accounts, upload malicious files, install web shells, modify plugins and themes, and establish persistent access to the website.
One of the most commonly observed attack payloads attempts to create a new administrator account named “diksimarina”. The malicious request uses injected PHP code to call WordPress’s wp_insert_user() function and create a new admin user on the target site.
Once the account is created, attackers can log in through the WordPress dashboard and gain full control over the website.
Wordfence identified several IP addresses that have been heavily involved in exploitation attempts. The most active address, 202.56.2.126, was responsible for more than 26,300 blocked requests.
Users running Everest Forms Pro should immediately update to version 1.9.13 or later. Updating is important even if a security firewall is already protecting the site.
Wordfence Premium customers received protection against the vulnerability on February 27, while users of the free version received firewall protection on March 29.
If you run a WordPress website and need help with security hardening, malware cleanup, vulnerability management, or ongoing maintenance, Techlomedia Internet offers WordPress development and security services. The company helps businesses secure their WordPress installations, remove malware, recover hacked websites, and keep plugins and themes updated to reduce security risks.
