Laptop screen showing a WordPress admin dashboard with a security warning overlay
Intelligence

Everest Forms Pro CVE-2026-3300: RCE Flaw Used to Hijack WordPress Sites

CVE-2026-3300 (CVSS 9.8) is an RCE flaw in Everest Forms Pro's Complex Calculation feature. Over 29,300 exploit attempts blocked. Patch to version 1.9.13.
Sami Malik
Copywriter

In April 2026, attackers began exploiting CVE-2026-3300, a critical remote code execution flaw in the Everest Forms Pro WordPress plugin, roughly two weeks after public disclosure. By the time researchers published detailed findings, more than 29,300 exploit attempts had already been blocked. The vulnerability requires no authentication, affects any site using the plugin's Complex Calculation feature, and gives attackers full control of the underlying server once successfully exploited. For the roughly 4,000 sites running Everest Forms Pro, the window for safe inaction had already closed.

What CVE-2026-3300 Is and How It Works

CVE-2026-3300 carries a CVSS score of 9.8 — the near-maximum rating reserved for vulnerabilities that are trivially exploitable, require no authentication, and grant complete system access. The flaw sits in the Complex Calculation addon distributed as part of Everest Forms Pro, a commercial form builder developed by WPEverest with approximately 4,000 active installations.

According to The Hacker News, the vulnerability exists in the process_filter() function within the Calculation Addon. When a visitor submits a form that uses the Complex Calculation feature, their input values are concatenated into a PHP code string and passed directly to PHP's eval() function without proper sanitisation or escaping. This is a textbook PHP code injection pattern: anything submitted in the form field is executed as live PHP code on the server.

PHP Code Injection via process_filter() and eval()

The specific problem with using eval() on unsanitised user input is that the function interprets its argument as executable PHP code, not as a string. A legitimate value like 42 would calculate normally. A crafted value like system('whoami') would execute the system() function and return the username of the web server process running WordPress. From that foothold, an attacker can escalate to writing files, creating users, and executing arbitrary operating system commands.

PHP code injection via eval() is one of the most dangerous vulnerability classes in web application security precisely because it gives the attacker direct access to the PHP interpreter with the permissions of the web server process. On shared hosting environments, that process often has write access to the entire account, not just the WordPress installation.

Why No Authentication Is Needed

The Everest Forms Pro Complex Calculation feature is designed to let site administrators build forms with dynamic calculations — pricing estimators, quote generators, loan calculators , that any visitor can use. Because the feature must be accessible to anonymous visitors by design, the vulnerable process_filter() function is reachable without any login. An attacker needs only to locate a WordPress site running a vulnerable version of the plugin, find a form using the Complex Calculation feature, and submit a crafted payload.

The Vulert analysis confirms that the flaw affects every release of Everest Forms Pro up to and including version 1.9.12. WPEverest released version 1.9.13 containing the patch.

The Attack in Practice: What Happened After Disclosure

The timeline of CVE-2026-3300 follows a pattern that security teams have seen repeatedly with WordPress plugin vulnerabilities: public disclosure, a brief lull, then a wave of automated exploitation that begins before most site administrators have had a chance to react.

April 13 , When Attacks Began

BleepingComputer reported that active exploitation began on 13 April 2026, approximately two weeks after public disclosure of the vulnerability. That two-week gap is consistent with the time it takes for automated scanning tools and exploit frameworks to incorporate a new vulnerability and begin targeting it at scale. It also represents the critical window during which site administrators running Everest Forms Pro needed to act , and many did not.

The "diksimarina" Admin Account Creation Payload

The leading exploit payload observed during the April attack wave attempts to create a new WordPress administrator account with the username "diksimarina." This is a deliberate choice: a generic, unmemorable username that blends into sites with many registered users and does not immediately suggest compromise. Once the account is created, the attacker has persistent, authenticated administrator access to the WordPress installation and no longer depends on the vulnerability to maintain their foothold.

The "diksimarina" naming pattern has appeared in multiple unrelated WordPress attack campaigns, suggesting that the payload template is shared across different threat groups rather than being the signature of a single actor. Any WordPress site administrator who finds an account with this username should treat it as a confirmed indicator of compromise and investigate the full scope of the intrusion.

29,300 Exploit Attempts Blocked

The volume of blocked exploit attempts , over 29,300 by the time detailed reporting was published , reflects the automated, opportunistic character of WordPress plugin attacks. Attackers do not manually target individual sites; they deploy automated tools that scan large swaths of the internet for WordPress installations, probe them for known vulnerable plugin versions, and submit exploit payloads at scale. A site with a vulnerable Everest Forms Pro installation is not targeted because of who owns it or what it contains; it is targeted because it exists and is reachable.

Who Is Affected and How Many Sites Are at Risk

Everest Forms Pro has approximately 4,000 active installations according to data from Infosecurity Magazine. Every one of those installations running version 1.9.12 or earlier that uses the Complex Calculation feature is directly vulnerable to unauthenticated remote code execution.

4,000 Active Installations

Four thousand sites may seem like a modest number compared to plugins with millions of installations. But the profile of Everest Forms Pro users matters: the plugin is a commercial product with a paid licence, which means its users tend to be businesses running websites for commercial purposes , e-commerce stores, professional services firms, lead generation sites. These installations are more likely to process sensitive data and to represent higher-value targets than sites running free hobbyist plugins.

Any Site Using the Complex Calculation Feature

Not every Everest Forms Pro installation is equally exposed. The vulnerable code path exists specifically in the Complex Calculation addon. A site running Everest Forms Pro but not using that addon is not directly vulnerable through this specific flaw, though the presence of an unpatched plugin version still represents a risk if other vulnerabilities are discovered. Administrators who cannot immediately update should identify which forms on their site use the Complex Calculation feature and consider temporarily disabling that feature until the patch is applied.

What Happens Once an Attacker Has Admin Access

The immediate impact of a successful CVE-2026-3300 exploit is remote code execution with web server process permissions. In practice, that translates to a wide range of possible follow-on actions depending on what the attacker is trying to achieve.

From Plugin Exploit to Full Site Compromise

A WordPress administrator account created via the "diksimarina" payload gives the attacker access to everything the WordPress admin panel controls. From there, they can install additional plugins , including those designed to provide persistent shell access , modify theme files to inject malicious code, access all content stored in the WordPress database including user accounts and form submissions, and configure the site to serve malware or phishing content to visitors.

Once an attacker has achieved remote code execution at the operating system level, they can go further: reading environment variables and configuration files that may contain database credentials, cloud provider API keys, or other sensitive values stored on the server. Understanding the full attack surface of a web application means accounting for these secondary data exposures, not just the initial point of compromise.

Realistic Post-Exploitation Scenarios

For commercial sites, the most common post-exploitation scenarios include credential harvesting from form submissions, installation of cryptocurrency mining software on the server, redirection of site visitors to phishing or malware distribution pages, and use of the server as infrastructure for sending spam or hosting further attack payloads. For sites that process customer data, a compromise can trigger data breach notification obligations under GDPR, CCPA, or other applicable regulations , adding regulatory exposure on top of the direct technical impact. Monitoring for indicators of compromise in your web server logs and WordPress activity log can help identify intrusions that have already occurred before a patch is applied.

What to Do Now

The remediation path for CVE-2026-3300 is clear: update Everest Forms Pro to version 1.9.13 or later. WPEverest released the patched version addressing the vulnerability in the process_filter() function.

Patching to 1.9.13

Updating a commercial WordPress plugin requires access to the WPEverest account used to purchase the licence. From the WordPress admin panel, navigate to Plugins, find Everest Forms Pro, and update if a new version is available. If the automatic update does not appear, log into your WPEverest account, download the latest version of the plugin manually, and install it via the Plugins upload interface. After updating, verify the installed version number in the plugin list matches 1.9.13 or higher.

If You Cannot Patch Immediately

If an immediate update is not possible , for instance, because the update requires testing in a staging environment first , the most effective interim measure is to disable the Complex Calculation addon within Everest Forms Pro. This removes the specific code path that CVE-2026-3300 exploits. Review your WordPress user list for any accounts you do not recognise, with particular attention to accounts with administrator privileges. If you find the "diksimarina" account or any other unrecognised administrator account, treat the site as compromised and conduct a full integrity review before restoring normal operations.

Why WordPress Plugin Security Matters for Enterprises

WordPress powers over 43% of all websites globally, including a significant number of enterprise intranets, public-facing portals, and e-commerce platforms. Plugin vulnerabilities, not WordPress core, are the primary attack vector for WordPress compromise. The core platform is updated frequently and automatically by most hosting environments; it is the sprawling ecosystem of third-party plugins , some actively maintained, many not , that introduces the most persistent risk.

Commercial plugins present a specific challenge. They are purchased once and often left unattended, particularly when the hosting environment has no automated plugin update policy. The purchasing decision and the ongoing maintenance responsibility frequently sit with different people in an organisation, creating gaps where updates fall through. A threat intelligence programme that monitors vulnerability disclosures for technologies in use across your environment can help close that gap by surfacing critical plugin vulnerabilities before attackers begin exploiting them at scale.

Frequently Asked Questions

Is the free version of Everest Forms also affected by CVE-2026-3300?

CVE-2026-3300 is specific to Everest Forms Pro. The Complex Calculation addon that contains the vulnerable process_filter() function is a Pro-only feature not present in the free version of Everest Forms. Sites using only the free plugin are not exposed to this specific vulnerability.

What is the Complex Calculation Addon and should I disable it?

The Complex Calculation Addon is a feature of Everest Forms Pro that allows form designers to build forms with dynamic mathematical calculations based on user input , pricing estimators, loan calculators, quote forms and similar tools. If you are running a vulnerable version and cannot immediately patch, disabling this specific addon removes the exploitable code path. If you have patched to 1.9.13, you can continue using the addon normally.

We use a WAF. Does that protect us from CVE-2026-3300?

A Web Application Firewall can block known exploit payloads for CVE-2026-3300 if its rule set has been updated to include signatures for this vulnerability. However, WAF protection should not be treated as a substitute for patching. Rule-based WAF protections can often be bypassed with minor payload variations, and a WAF that has not had its rules updated since before April 2026 will not block these attacks. Apply the patch and treat the WAF as a secondary defence layer.

How do attackers find sites running a vulnerable Everest Forms Pro version?

Automated tools scan large ranges of IP addresses for WordPress installations, then probe each site's plugin directory for version-identifying files or check the plugin's readme.txt, which typically contains the current version number. Once a vulnerable version is confirmed, the exploit payload is submitted automatically. This process requires no manual intervention from the attacker and can scan millions of sites per day, which is why the number of blocked attempts grew so quickly after disclosure.

What should I do if I find the "diksimarina" account on my site?

Finding the "diksimarina" account confirms that your site has been successfully compromised. Do not simply delete the account and assume the problem is resolved. The attacker may have installed additional backdoors, modified plugin or theme files, or created other administrator accounts. Take the site offline or into maintenance mode, conduct a full file integrity check against a known-good backup, scan for modified PHP files using a tool such as Wordfence, review all administrator accounts and remove any that were not explicitly created by your team, and restore from a verified clean backup if possible. Then patch to 1.9.13 before bringing the site back online.

The Vulnerability Disclosure Timeline and the Race to Exploit

The two-week gap between public disclosure and the onset of active exploitation for CVE-2026-3300 deserves careful examination, because it illustrates a structural problem in how WordPress plugin vulnerabilities are handled. When a security researcher discovers and reports a vulnerability in a commercial plugin, the disclosure process typically involves notifying the developer privately, allowing time for a patch to be developed, and then publishing the details publicly once a fix is available. This responsible disclosure model protects users , in theory.

In practice, the public disclosure of CVE-2026-3300 triggered a different process on the attacker side: automated tools and exploit framework maintainers incorporated the vulnerability details and began scanning. This is not unusual or particularly sophisticated , it is the default behaviour of the exploit market. Security researchers who publish vulnerability details, even alongside a patch, must accept that the publication itself accelerates the exploitation timeline for any site that has not yet updated.

The implication for WordPress site operators is stark: patching within two weeks of a critical vulnerability disclosure is not a comfortable window, it is a deadline. Sites that had not updated to version 1.9.13 by 13 April 2026 were already being actively targeted. For organisations with complex testing and change management requirements around plugin updates, this timeline demands either pre-established fast-track procedures for critical CVEs or a more aggressive posture toward auto-updates for known plugins.

Forensic Indicators of a CVE-2026-3300 Compromise

For security teams investigating whether a WordPress site may have been compromised via CVE-2026-3300, several forensic indicators can confirm or rule out a successful exploitation, separate from simply finding the "diksimarina" administrator account.

Web server access logs are the primary forensic record. A successful exploitation attempt will appear as a POST request to the URL of a form using the Complex Calculation feature, typically with an unusually long or structured value in the form field associated with the calculation. The payload will contain PHP function calls rather than numerical values. Access logs should be reviewed for the period from 13 April 2026 onwards if the site was running a vulnerable version at that time.

WordPress activity logs , available through plugins such as WP Activity Log or built into some security suites , may record the creation of the "diksimarina" account with an exact timestamp, the source IP that initiated the request, and any subsequent actions taken from that account. This information is valuable not only for confirming the compromise but for understanding its scope: what pages were accessed, what settings were changed, and whether additional backdoors were installed during the session.

PHP file modification timestamps are another indicator. Attackers who establish initial access via CVE-2026-3300 frequently write web shells or modified plugin files to the server to maintain persistent access independently of the administrator account. A file integrity scan comparing the current state of all PHP files in the WordPress installation against a known-good baseline will surface any files that were added or modified after the site began running a vulnerable version. Free tools like Wordfence offer file integrity checking as part of their basic feature set.

The Broader WordPress Plugin Security Problem

CVE-2026-3300 is not an exceptional case , it is representative of a class of vulnerability that appears repeatedly across the WordPress plugin ecosystem. The combination of factors that made this flaw exploitable (user-controlled input passed to eval() without sanitisation) is a known anti-pattern that has produced critical vulnerabilities in dozens of plugins over the past decade. The question worth asking is not why this specific vulnerability existed in Everest Forms Pro, but why the same class of flaw continues to appear in new plugins years after it became well-documented.

Part of the answer lies in the economic structure of WordPress plugin development. Many commercial plugins are built by small development teams or individual developers for whom security review is not a primary focus. The WordPress.org plugin repository has introduced automated security scanning, but commercial plugins sold directly through a developer's own site , as Everest Forms Pro is , bypass that review process. Buyers have no visibility into the security practices of the developer before purchase, and no systematic notification mechanism when a critical vulnerability is discovered.

For enterprise environments that use WordPress, managing this risk requires treating plugin inventory as a security concern rather than just a development concern. Knowing which plugins are installed across all WordPress properties, which have auto-updates enabled, and which require manual intervention for updates is the minimum viable posture. Security teams that integrate WordPress plugin vulnerability feeds into their threat intelligence monitoring workflows , either via the WPScan Vulnerability Database API or NVD alerts for WordPress-related CVEs , can close the awareness gap and reduce the time between disclosure and patch deployment.

What Attackers Do With Compromised WordPress Sites

The "diksimarina" account creation payload is designed for one specific objective: establishing persistent, authenticated access. Once that access exists, the site becomes useful infrastructure for a range of secondary activities that often have nothing to do with the site's original purpose or its operators.

Search engine optimisation fraud , sometimes called SEO spam or Japanese keyword hack , is among the most common uses of compromised WordPress sites. Attackers inject hidden pages or links into the site's content to manipulate search rankings for unrelated commercial terms, typically in pharmaceutical, gambling, or adult content categories. This activity is often invisible to site administrators browsing the front end but visible in Google Search Console as unexpected pages being indexed. It can take months to fully clean and can result in Google de-indexing the legitimate site alongside the spam content, with significant organic traffic consequences.

Phishing hosting is another frequent use case. A compromised WordPress site on a legitimate, aged domain with an established reputation is more effective as a phishing host than a freshly registered domain, because URL filtering and email security tools are less likely to flag it automatically. The attacker creates a subdirectory or subdomain on the compromised site to host a credential harvesting page, uses the site's established reputation to evade filters, and moves on to the next compromised host when the phishing page is eventually detected. The legitimate site operator is left to deal with blocklist removals and reputation recovery.

Understanding the full downstream impact of a WordPress compromise on your digital attack surface , including the secondary consequences for SEO, email deliverability, and brand trust , reinforces why rapid patching of critical vulnerabilities like CVE-2026-3300 is not merely a technical obligation but a business continuity concern.

Beyond exploiting vulnerabilities in plugin code, attackers have moved to compromising the update infrastructure used to distribute WordPress plugins to buyers. A supply chain attack on ShapedPlugin pushed a backdoor through the Easy Digital Downloads pipeline to sites running three of the company's Pro plugins, granting access to administrator credentials, authentication codes, and WooCommerce data without any CVE being exploited on the target site. The campaign is examined in our analysis of the ShapedPlugin WordPress supply chain attack.

How Defendis Can Help

Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.

Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.

Book a demo →

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.