WordPress users beware — experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro plugin

Wordfence has claimed Everest Forms Pro, a popular WordPress plugin, was allegedly being used to create contract, registration, payment, and other application forms, carried a critical-severity vulnerability that allowed malicious actors to take over the sites entirely.

The bug was described as a Remote Code Execution (RCE) flaw via PHP code injection. It is tracked as CVE-2026-3300 and was given the severity rating of 9.8/10 (critical). It affects all versions of the plugin up to, and including, 1.9.12.

Patched months ago

Wordfence is now warning that the flaw is being actively abused in the wild to create malicious admin accounts on vulnerable websites:

“The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls wp_insert_user() to create a new administrator account with the username 'diksimarina’,” Wordfence warned in its report.

“The trailing // comment marker ensures the rest of the generated PHP code, including the closing quote, is treated as a comment and does not cause a syntax error.” “When the form is processed, and the calculation is evaluated, the injected PHP code is executed, and the malicious administrator account is created.”

By creating an admin account, malicious actors can do almost anything with the website, including exfiltrating stored files, redirecting visitors, or even serving malware.

The bug was first disclosed in February this year, and by mid-March, the Everest Forms developer released a fix. Wordfence says that exploitation attempts started roughly a month later, in mid-April. So far, it thwarted almost 30,000 attempts, most of which came from two IP addresses.

Admins worried about being potential targets should block the two IP addresses 202.56.2[.]126 and 209.146.60.26, and should review log files for the string “diksimarina.”

Via BleepingComputer