Remote Code Execution: Critical Flaw in Everest Forms Pro Enables WordPress Invasions

Even a mundane feedback form can morph into an initial attack vector. This transition occurs when a data handler executes submitted text as code. Specifically, adversaries are actively exploiting a critical vulnerability designated as CVE-2026-3300 within Everest Forms Pro. Notably, this flaw commands a maximum CVSS score of 9.8.

The defect compromises versions 1.9.12 and below. Consequently, unauthenticated remote attackers can seamlessly execute arbitrary code on the hosting server.

Deconstructing the Evaluation Mechanism

The Flaw in Complex Calculation

Everest Forms Pro enhances the baseline plugin to facilitate the creation of custom registration and payment portals. However, a structural vulnerability resides within the Complex Calculation routine. This function extracts values from form fields and injects them directly into a PHP code string. Afterward, the backend processes this string via the perilous eval() function.

Because this function executes arbitrary inputs, the parsing error immediately yields a catastrophic exploit vector.

Subverting Input Sanitization Filters

Although the incoming telemetry traversed the native sanitize_text_field() routine, the filter failed to neutralize single quotation marks. Thus, syntax-altering characters remained unescaped within the runtime environment.

Therefore, an adversary could terminate the initial string and append a custom PHP command. Next, they simply comment out the trailing code to prevent syntax failures.

Live Exploitation and Privilege Escalation

According to telemetry from Wordfence, threat actors are weaponizing this zero-day defect to spawn unauthorized administrative accounts. Specifically, in one documented scenario, attackers transmitted a malicious payload through a text input field. This payload successfully invoked the wp_insert_user() function to establish an administrator named diksimarina.

Administrative privileges grant absolute sovereignty over the compromised web architecture. With this access, handlers can manipulate page content, install rogue extensions, deploy web shells, and pillage restricted databases.

Discovery Metrics and Remediation Directives

Security researcher h0xilo originally discovered this structural flaw. Although the developer distributed a hotfix on March 18, Wordfence observed active exploitation starting on April 13. Indeed, monitors recorded over 29,300 discrete exploitation attempts during the observation window.

Consequently, web administrators must update Everest Forms Pro immediately. They should also audit system logs and user registries for anomalous entries, searching specifically for the identifier diksimarina. Furthermore, security teams should blacklist the malicious network addresses 202.56.2[.]126 and 209.146.60.26. These coordinates surfaced frequently throughout the campaign.