Hackers are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin installed on roughly 4,000 sites, to execute arbitrary code and seize full control of affected websites. The vulnerability, tracked as CVE-2026-3300 and carrying a maximum-severity CVSS score of 9.8, allows completely unauthenticated attackers to run malicious PHP code directly on a target server.
The flaw lives inside the plugin’s Calculation Addon. Its process_filter() function concatenates user-submitted form field values into a PHP code string and passes it to PHP’s eval() function without proper escaping. The sanitize_text_field() function applied to input does not strip single quotes or other PHP code context characters, leaving any string-type field (text, email, URL, select, or radio) open to injection whenever a form uses the Complex Calculation feature.
These attack efforts have originated from the following IP addresses:
- 202.56.2.126
- 209.146.60.26
- 15.235.166.18
- 2402:1f00:8000:800::40db
- 185.78.165.153
Successful exploitation lets attackers create rogue administrator accounts, plant web shells, and establish persistent backdoor access. A patch was released on March 18, 2026 in version 1.9.13, but active exploitation did not begin until April 13, 2026.
Over 29,300 attack attempts have been blocked to date, with 16 attempts recorded in the 24 hours before this report. The most common payload attempts to create a fake administrator account named “diksimarina” on the compromised site.
The disclosure coincides with a separate wave of web skimmer attacks on Magento and Adobe Commerce checkout pages. In those campaigns, attackers abused Stripe’s customer metadata API as free command-and-control infrastructure, storing stolen card data, billing addresses, phone numbers, and emails as fake “customer” records in their Stripe account.
A second variant used Google Firestore as the exfiltration channel. Both attacks exploited the inherent trust online stores place in Stripe and Google domains to bypass content security policies and network filters.
WordPress site owners running Everest Forms Pro must update to version 1.9.13 immediately.
