A WordPress Plugin Becomes an Open Door
Attackers are actively exploiting a critical code injection vulnerability in Everest Forms Pro, a commercial WordPress plugin used to build contact forms, registration pages, payment interfaces, and custom application forms. The flaw, tracked as CVE-2026-3300, affects version 1.9.12 and all earlier releases. No authentication is required to trigger it.
The core problem sits in a feature called Complex Calculation. It accepts values from form fields and inserts them directly into a PHP code string, which is then executed via PHP’s native eval() function. A sanitization wrapper called sanitize_text_field() does run on user input before that happens — but it does not escape single quotes or other characters that carry syntactic weight in PHP. That gap is the vulnerability.
What makes this particularly damaging is not just the execution surface but the outcome once exploitation succeeds. Attackers who pull off a working injection gain full administrator access to the target site.
How the Injection Actually Works
The attack is not especially complicated once the flaw is understood. An attacker submits a form field value that begins with a single quote. That character closes the wrapping string literal in the generated PHP code, breaking out of the intended context. What follows is a call to wp_insert_user(), WordPress’s own built-in function for creating user accounts — in this case, a new administrator account carrying the username diksimarina. A trailing // comment marker then neutralizes whatever remains of the auto-generated PHP code, including the closing quote that would otherwise produce a syntax error.
The injected code runs when the form is processed and the calculation is evaluated. The rogue admin account is created silently, with no visible indication to the site owner that anything went wrong. From that point, the attacker has unrestricted access.
Administrator-level access on a WordPress site is not a minor foothold. It allows modification of any content on the site, installation of arbitrary plugins and themes, deployment of backdoors and webshells into the filesystem, and direct access to private databases. In practice, a site compromised at the admin level can be repurposed entirely — redirected, defaced, used to distribute malware, or held for extortion — without the legitimate owner having any immediate way to detect it.
Timeline and Active Exploitation
Researcher h0xilo identified CVE-2026-3300 and reported it to Wordfence in February 2025. The Everest Forms development team released a patch on March 18, 2025. Exploitation in the wild began on April 13, 2025 — nearly four weeks after the fix was publicly available, which is a reminder that patch release and patch adoption are two different events.
Since April 13, Wordfence’s firewall has blocked more than 29,300 exploitation attempts. The traffic originates primarily from two IP addresses: 202.56.2[.]126 and 209.146.60.26. Wordfence has flagged both as indicators of compromise and recommends that site administrators block them at the network or firewall level. Additional offending IPs are included in Wordfence’s full indicator list.
The concentration of attacks from just two IPs suggests a coordinated scanning campaign rather than opportunistic probing scattered across many sources. Whether those addresses represent the actual origin of the attacker or simply exit nodes and proxies is harder to say, but blocking them reduces exposure in either case.
What Site Administrators Should Do Now
The most direct fix is updating Everest Forms Pro to version 1.9.13 or later, which contains the patch for CVE-2026-3300. Any site still running version 1.9.12 or older with the Complex Calculation feature enabled is exposed to unauthenticated remote code execution.
Beyond the update, two immediate checks matter. First, review the WordPress user list for any accounts that should not be there — specifically any account with the username diksimarina, which the observed exploit payload creates by name. That string appears directly in the malicious wp_insert_user() call, making it a reliable indicator of a successful compromise. Second, scan server and WordPress access logs for form submissions that include unusual characters, particularly single quotes appearing in field values that feed into calculation logic.
If a rogue administrator account is found, removal alone is insufficient. The attacker may have already used that access to install a backdoor plugin, drop a webshell into the uploads directory, or alter core files. A proper incident response at that point involves a full audit of installed plugins and themes, filesystem integrity checking, and database review for injected scripts or altered user permissions.
Broader Exposure to Consider
Everest Forms Pro is a paid add-on, which means its install base is somewhat smaller than free plugins with millions of active installations. That limits the raw number of vulnerable sites. But paid commercial plugins present their own risk patterns: administrators sometimes delay updates because they are managing license keys, staging environments, or customizations that they worry a plugin update might break. That hesitation creates exactly the window that attackers are using here.
The 26-day gap between patch release (March 18) and first detected exploitation (April 13) also reflects a common dynamic. Vulnerabilities in commercial plugins are sometimes disclosed with less fanfare than those in widely distributed free software, which can slow the spread of awareness. Attackers, meanwhile, monitor security advisories closely and begin scanning shortly after a working exploit becomes practical to build.
WordPress as a platform is not uniquely insecure, but its plugin ecosystem creates a large attack surface simply because the number of third-party extensions is enormous and update discipline varies widely across the user base. A plugin that handles form submissions — user input by design — is a natural target for injection research.
The Username Is a Detail Worth Taking Seriously
diksimarina is a specific, hardcoded username in the observed exploit payload. Its presence in WordPress user tables or server logs is not ambiguous. Finding it means the exploit ran successfully and an unauthorized administrator account was created.
That specificity is actually useful for defenders. A simple search through the users table — or a log grep — for that string takes seconds and gives a definitive answer about whether a particular site was compromised before the patch was applied. Site owners who updated promptly after March 18 are almost certainly safe. Those who did not update until after April 13, or who have not updated yet, should treat that username check as the first step in assessing their exposure.
Wordfence also recommends that defenders review the full indicator-of-compromise list it has published, which contains additional IP addresses beyond the two primary sources. Blocking 202.56.2[.]126 and 209.146.60.26 at the network level is the minimum recommended action for any site that cannot update immediately.
The patch has been available for over a month. The attacks are not stopping.
