Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
A critical security vulnerability, tracked as CVE-2026-3300, has been actively exploited in the Everest Forms Pro WordPress plugin. The flaw allows unauthenticated attackers to achieve complete site takeover through Remote Code Execution (RCE), posing a severe threat to thousands of WordPress installations.
The Technical Root Cause: Improper Input Sanitization
The vulnerability resides within the "Calculation Addon's" process_filter() function. The flaw occurs when the plugin concatenates user-submitted form field values into a PHP code string and passes them directly to the eval() function without proper escaping.
While the developers utilized sanitize_text_field(), this function is insufficient for preventing PHP injection. It fails to escape single quotes and other PHP code context characters, allowing an attacker to "break out" of the intended string and inject arbitrary PHP commands. This is possible on any string-type form field—including text, email, URL, select, and radio buttons—provided the "Complex Calculation" feature is enabled.
Attack Vector and Impact
The attack requires no authentication, making it an extremely high-risk vulnerability. Once an attacker submits a crafted value through a form, they can:
- Create Administrative Accounts: Adversaries have been observed creating rogue administrator accounts (notably using the name "diksimarina") to gain persistent access - Deploy Web Shells: Attackers can upload malicious scripts that allow them to browse files, steal data, and modify site content - Full Server Access: Depending on the server configuration, RCE can potentially lead to lateral movement within the hosting environment
With a CVSS score of 9.8, this flaw is classified as Critical. Wordfence reports over 29,300 exploit attempts, confirming that threat actors are aggressively targeting unpatched sites.
Timeline and Remediation
A patch was released on March 18, 2026, in version 1.9.13. However, active exploitation began shortly after on April 13, 2026. This gap between the patch release and the peak of active exploitation underscores the danger of delaying plugin updates.
Immediate Action Required: All users of Everest Forms Pro must update to version 1.9.13 or higher immediately. If an update is not possible, disabling the "Complex Calculation" feature may mitigate the risk, though a full update is the only recommended solution.
Lessons for WordPress Site Administrators
This incident highlights three critical security principles:
1. The Danger of eval(): The use of eval() on user-controllable input is a classic security anti-pattern. Regardless of the sanitization used, any function that executes code dynamically should be avoided in favor of safer alternatives.
2. Sanitization vs. Escaping: sanitize_text_field() is meant for cleaning data for storage, not for securing data meant for execution. Developers must use context-specific escaping to prevent injection.
3. The Patch Window: The window between a patch release and active exploitation is shrinking. Automated updates or a rigorous update schedule are no longer optional for production sites.
The Bottom Line
The Everest Forms Pro breach is a stark reminder that a single flawed function in a trusted plugin can compromise an entire web presence. In an era of automated scanning, vulnerabilities like CVE-2026-3300 are discovered and exploited by botnets within days. Proactive patching and a "defense-in-depth" strategy are the only ways to stay secure.
